Privacy Policy on Whistleblowing

September 2023

This privacy policy provides information about personal data processed in relation to the whistleblowing process of SEFE Securing Energy for Europe Holding GmbH and its affiliates (hereinafter also “SEFE”, “SEFE Group” or “we”).

Personal data is any information relating to an identified or identifiable natural person. Anonymous data, without the possibility to identify you, are not treated as personal data. We store your personal data in a safe and secure way to protect it from loss, unauthorized disclosure or access and process it in accordance with the provisions of GDPR[1] and applicable national laws.

Our whistleblowing procedures aim at ensuring a smooth and easy process to all involved individuals and legal entities within the SEFE Group. They are set up globally for all locations and legal entities to ensure a best possible outcome for both the involved individuals and the SEFE Group. Consequently, you may face more than one SEFE Group entity involved in and accountable for the processing of your personal data alongside a submission. The respective SEFE Group company is responsible for the processing of your personal data in accordance with Art. 4 No. 7 GDPR. This means that this SEFE Group entity determines the objectives and purposes for the processing of personal data.

In addition, SEFE Group companies act under joint responsibility in organising and conducting the whistleblowing handling procedures pursuant to Art. 26 of the GDPR. The companies of the SEFE Group have concluded a joint controllership agreement for this purpose. They have stipulated that SEFE Securing Energy for Europe GmbH is responsible for the overall process management, reporting channel provision and maintenance, data subject information and data subject request processing within the Group wide whistleblowing handling to ensure data subject rights pursuant to Art. 15 to 21 of the GDPR. However, within the scope of joint controllership, you can in principle assert your data subject rights against each of the joint controllers. For more details on your rights, please refer to section 10.

Whistleblowing submission via our WhistleB platform

To ensure the most secure and comfortable way for those who would like to submit a message, the SEFE Group maintains a whistleblowing channel on the WhistleB platform at https://report.whistleb.com/en/sefe or https://report.whistleb.com/de/sefe.

WhistleB is a platform which allows individuals – internal SEFE Group employees, contract staff or any external parties – to report suspected wrongdoing by or involving SEFE or a SEFE employee or contractor that is in violation of or inconsistent with the SEFE Code of Ethics and Business Principles, breaches applicable laws or represents unethical practice.

Individuals who submit a message may choose to be identified or anonymous. Upon submission of a message in WhistleB, SEFE’s Compliance team are notified who will access the report and ensure onward investigation.

The WhistleB platform is a state-of-the-art technology provided by an independent EU-based third-party specialist WhistleB Whistleblowing Centre AB (“WhistleB AB”). We have taken the required contractual, technical, and organizational measures to ensure that any personal data submitted on WhistleB platform is adequately secured and only processed for authorized purposes.

1. RESPONSIBILITY FOR DATA PROCESSING AND CONTACT DETAILS

The data controller (in meaning of Article 4 No. 7 GDPR) responsible for the processing of personal data in relation to the WhistleB platform is

SEFE Securing Energy for Europe GmbH, Markgrafenstraße 23, 10117 Berlin, Germany
phone: +49 30 20195 0
email: info@sefe.eu

Jointly responsible data controller for the processing of personal data within the investigation procedures are

SEFE Securing Energy for Europe GmbH, Markgrafenstraße 23, 10117 Berlin, Germany
phone: +49 30 20195 0
email: info@sefe.eu

and

SEFE Marketing & Trading Ltd., 20 Triton St, London NW1 3BF, United Kingdom
phone: +44 207 756 0000
email: info@sefe.eu

together with those by investigation case affected SEFE Group company(ies), in particular

SEEHG Securing Energy for Europe Holding GmbH, Markgrafenstraße 23, 10117 Berlin, Germany
phone: +49 30 20195 0
email: info@sefe.eu

SEFE Energy Limited, 20 Triton St, London NW1 3BF, United Kingdom
phone: +44 207 756 0000
email: info@sefe.eu

SEFE LNG Limited, 20 Triton St, London NW1 3BF, United Kingdom
phone: +44 207 756 0000
email: info@sefe.eu

SEFE Marketing & Trading Singapore Pte Limited, 10 Collyer Quay, #10-01 Ocean Financial Centre, Singapore 049315
phone: phone: +44 207 756 0000
email: info@sefe.eu

SEFE Marketing & Trading Switzerland AG, Poststraße 2, 6300 Zug, Switzerland
phone: +44 207 756 0000
email: info@sefe.eu

SEFE Marketing & Trading USA Inc., 1321 Upland Drive, PMB 4943, Houston, TX 77043, USA
phone: +44 207 756 0000
email: info@sefe.eu

SEFE Energy SAS, 68 Avenue des Champs Elysées 75008, Paris, France
phone: +44 207 756 0000
email: info@sefe.eu

WINGAS GmbH, Königstor 20, 34117 Kassel, Germany
phone: +49 561 99858 0
email: info@sefe.eu

WINGAS Benelux SRL/BV, Square de Meeûs 23 (4th. floor), B-1000 Bruxelles/Brussel, Belgium
phone: +32 2 200 00 71
email: info@sefe.eu

astora GmbH, Karthäuserstr. 4, 34117 Kassel, Germany
phone: +49 561 99858-3333
email: email: info@sefe.eu

SEFE Mobility GmbH, Markgrafenstraße 23, 10117 Berlin
phone: +49 30 20195 0
email: info@sefe.eu

SEFE Commercial GmbH , Königstor 20, 34117 Kassel, Germany
phone: +49 561 99858 0
email: info@sefe.eu

WINGAS Holding GmbH , Königstor 20, 34117 Kassel, Germany
phone: +43 1 890 710+49
emailinfo@sefe.eu

SEFE Schweiz AG, Poststraße 2, 6300 Zug, Switzerland
phone: + 41 41 528 01 60
email: info@sefe-schweiz.com

SEFE Turkey Enerji A.Ş. , Esentepe Mahallesi Kır Gülü Sokak Metro City Kültür Mrk.D Blok 4/4 ŞİŞLİ, Istanbul, Turkey
phone: + 41 41 528 01 60
email: info@sefe-schweiz.com

WIEE Hungary Kft., Váci utca 7. félemelet 4. ajtó, 1052 Budapest, Hungary
phone: +36 1 2024144
email: wiee@wiee.hu

S.C. Wiee Romania S.R.L, Str. Popa Savu nr. 79-81, Cladire Monolit, Et. 5 Sector 1, 011432 Bukarest, Romania
phone: 021/223.50.72 (76) (78)
email: office@wiee.ro

WIEE Bulgaria EOOD, Vihren St. 10, 1618 Sofia, Bulgaria
phone: + 359 886 59 28 38
email: office@wiee.bg

ZGG-Zarubezhgazneftechim Trading GmbH, Karlsgasse 18/2, 1040 Vienna, Austria
phone: +43 1 5046303
email: info@sefe.eu

VEMEX s.r.o., Na Zátorce 289/3, 160 00 Praha 6, Czech Republic
phone: +420 233 382 820
email: vemex@vemex.cz

You can reach our data protection officer or our data protection team at the following contact details: SEFE Securing Energy for Europe GmbH, Data Protection, Markgrafenstraße 23, 10117 Berlin, Germany; email: dataprivacy@sefe.eu.

2. DATA PROCESSING AND PURPOSES OF PROCESSING

Which personal data we process in detail and how it is used depends on whether you only visit our WhistleB platform or choose to submit a message.

PLATFORM WEB HOSTING AND APPLICATION DEPLOYMENT

For the provision of the WhistleB platform and application, we use the web hosting service of WhistleB Whistleblowing Centre AB, PO Box 70396, 107 24 Stockholm, Sweden; www.whistleb.com (hereinafter " WhistleB AB").

The provision of the WhistleB platform requires the commissioning of a web hosting service as well as the provision and support of the application. These services are used in accordance with Art. 6 para. 1 p. 1 lit. f GDPR on the basis of our legitimate economic interest in making our offer available on this website. In relation to hosting, WhistleB AB processes on our behalf personal data that is collected using the WhistleB platform website.

We have concluded a data processing agreement with WhistleB AB. Through this agreement, the service provider assures that it processes the data in accordance with the applicable legislation and ensures the protection of the data subject rights. We have taken the required contractual, technical, and organisational measures to ensure that any personal data processed by WhistleB AB is adequately secured and only processed for authorised purposes.

WHEN VISITING THE WHISTLEB PLATFORM

You can access our WhistleB platform website without having to disclose any information about your identity. The browser used on your end device only automatically sends information to our website server (e.g. browser type and version, date and time of access) to enable the website to establish a connection. This also includes the IP address of your requesting end device. This data is temporarily stored in a so-called log file and automatically deleted after 14 days.

The IP address is processed for technical and administrative purposes to establish connection, ensure security and stability of the platform, to ensure the functionality of processing the questionnaire form and your message. Only authorised personnel of our service provider who deal with the support of the web service and the application are entitled to access the data.

The legal basis for the processing of the logged data is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest follows from the a forementioned security interest and the necessity of a trouble-free provision of our WhistleB platform website.

WHEN SUBMITTING A MESSAGE VIA THE WHISTLEB PLATFORM

The personal data we may collect through the WhistleB platform will include that which may be disclosed by a reporter, including:

• name, contact details and location of the individual making the report,
• names and details of potential witnesses or individuals otherwise involved in the allegation,
• names and details of individuals against whom the allegations are made,
• information that relates to the alleged behavior of an individual,
• other case related details, if disclosed by reporter.

Where disclosed by a reporter, we may come into possession of sensitive personal data, such as

• data relating to an individuals’ health,
• individuals’ racial or ethnic origin,
• individuals’ religious or philosophical beliefs,
• individuals’ sexual orientation.

Unless prohibited by local law, individuals are encouraged to provide their name and personal contact details so that any submissions can be directly followed up on. Where the name and personal contact details are provided, your identity will be treated as confidential. The only exceptions are where we are legally required to disclose your identity to protect or defend our rights or those of our employees, customers, suppliers, or business partners, or where we have determined that the allegations were malicious and were made in bad faith.

To ensure the best possible protection of the reporter and to enable the secure processing, investigation and follow-up tracking the following data will be processed by us:

• Message ID, generated by the WhistleB platform,
• Message Password, generated by the WhistleB platform for later access to the case.

The legal basis for the processing of the above-mentioned personal data is Art. 6 para. 1 p. 1 lit. c GDPR for the purpose of providing internal communication channels for whistleblower submissions in Germany and the United Kingdom. The legal basis for the processing of the above-mentioned personal data is Art. 6 para. 1 p. 1 lit. f GDPR for all other locations of the SEFE Group, with no applicable legal obligation to provide a whistleblowing service. Our legitimate interest follows from the compliance interest to investigate alleged violations in the same way across the SEFE Group.

WHEN PROCESSING THE CASE, INCLUDING INVESTIGATION AND FOLLOW-UP ACTIVITIES

The personal data we process for case investigation purposes will include

• User data of a case manager,
• Logs on changes in the WhistleB platform,
• Message ID,
• Message Password for the submission,
• If provided, contact data of the submitting individual,
• If provided, personal data of individuals indicated in the message,
• If provided, personal data of individuals indirectly affected by the investigation,
• If applicable, personal data of individuals of other parties engaged in further activities (e.g. legal consulting),
• information related to the case.

The submitting individual will be able to access the case to follow up or to step into communication with the case manager by entering the following data in the WhistleB platform:

• Message ID,
• Message Password.

The legal basis for the processing of the above-mentioned personal data is Art. 6 para. 1 p. 1 lit. c GDPR for the purpose of providing internal communication channels for whistleblower submissions in Germany and the United Kingdom. The legal basis for the processing of the above-mentioned personal data is Art. 6 para. 1 p. 1 lit. f GDPR for all other locations of the SEFE Group, with no applicable legal obligation to provide a whistleblowing service. Our legitimate interest follows from our compliance interest to investigate alleged violations in the same way across the SEFE Group, to take any necessary follow up action upon the completion of an investigation and to provide management reporting.

3. DATA RETENTION

The data processed within the reported cases is subject to various storage and documentation obligations, which result from national legal provisions, national statutory limitation periods and/or internal regulations. Finally, the storage period is also assessed according to the national statutory limitation periods. It will be processed by us for the time necessary to finish the investigation and to close the case. The following retention and deletion periods will apply to the submitted messages and cases: 3 years from the date of case closure.

In all cases information will be held for a longer period where there is a legal or regulatory reason to do so (in which case it will be deleted once no longer required for the legal or regulatory reason).

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS

Your personal data may be disclosed to the following recipients or categories of recipients on a strict need-to-know basis.

INTERNAL RECIPIENTS

• Designated SEFE employees, responsible for WhistleB platform administration,
• Designated SEFE case managers, responsible for case administration, investigation and follow-up activities,

Designated SEFE employees entitled to investigating alleged wrongdoings and/or for taking the required measures to follow up any investigation, such as instituting disciplinary proceedings or legal proceedings. We have taken extended organisational measures to ensure that any personal data processed by the involved SEFE employees is adequately secured and only processed for authorised purposes. The employees are educated and trained for the compliant case processing and are committed to confidentiality.

DATA PROCESSOR

We use service providers who process personal data on our behalf (so-called data processors, cf. Art. 4 No. 8, Art. 28 GDPR). These include service providers in the areas of IT, telecommunications and business services. In these cases, we have concluded data processing agreements with the service providers.

The web host and application provider of our WhistleB platform is WhistleB Whistleblowing Centre AB, ("WhistleB AB"). The use of the service by WhistleB AB as a processor is carried out in accordance with Art. 6 para. 1 p. 1 lit. f GDPR due to our legitimate economic interest in providing our WhistleB platform for those who want to submit a message. In relation to hosting, WhistleB AB processes on our behalf personal data that is collected using WhistleB platform.

We have concluded a data processing agreement with WhistleB AB. Through this agreement, the service provider assures that it processes the data in accordance with the GDPR and ensures the protection of the rights of the data subjects. We have taken the required contractual, technical and organisational measures to ensure that any personal data processed by WhistleB AB is adequately secured and only processed for authorised purposes.

WhistleB AB subcontracts several services to other service providers (for further details please refer to whistleb.com/sub-processors/), e.g. Microsoft Ireland Operations Limited for application hosting and development on the Microsoft Azure platform, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. The processing of personal data by the subcontracted service providers takes place within the European Union and the United Kingdom.

DISCLOSURE TO THIRD PARTIES

Except in the aforementioned cases of commissioned processing, we may disclose your personal data to third parties if:

• you have given your express consent to this pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR,
• there is a legal obligation for the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR.

Third parties could be public authorities, government, regulatory or fiscal agencies where it is necessary to comply with a legal or regulatory obligation to which the relevant SEFE company is subject to as permitted by applicable local law.

The data disclosed may be used by the third party exclusively for the purposes stated.

5. TRANSFER OF DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANISATION

A transfer of your personal data to a third country or an international organisation will only take place if this is necessary within the framework of order processing and the conditions according to Art. 44 et seq. GDPR are given.

We only transmit your personal data when

• sufficient guarantees are provided by the recipient in accordance with Article 46 para. 1 of the GDPR for the protection of the personal data,
• you have expressly consented to the transfer in accordance with Art. 49 para. 1 lit. a GDPR after we have informed you of the relevant risks,
• the transfer is necessary for the performance of contractual obligations between you and us (Art. 49 para. 1 lit. b GDPR)
• or another derogation from Art. 49 GDPR applies.

Guarantees according to Art. 46 GDPR can be so-called standard contractual clauses. In these standard contractual clauses, the recipient assures to sufficiently protect the data and thus to guarantee a level of protection comparable to the GDPR.

A "third country" is a state outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered "unsafe" if the EU Commission has not issued an adequacy decision for that country pursuant to Art. 45 para. 1 GDPR confirming that adequate protection for personal data exists in the country.

6. COOKIES

Cookies are data records that your browser automatically creates and that are stored on your end device (laptop, tablet, mobile or similar) when you visit our site. Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware. With the help of cookies, information is stored that is related to the specific end device used. However, this does not mean that we gain direct knowledge of your identity.

The WhistleB platform does not use cookies and processes data (reporting status, ID, password) exclusively in your browser's session storage. Data is deleted as soon as you close the browser window. However, by visiting the homepage of the data processor WhistleB, cookies may be set, which could potentially also be used by the platform. To minimise the risk of de-anonymization, please consider the following recommendation:

The same processing principles are valid for WhistleB AB, who do not proceed for any control of user performance or analytics of the visits. For more information on WhistleB AB privacy settings please refer to their Privacy Policy under https://whistleb.com/privacy-policy/.

We base the processing of your data through (reporting status, ID, password) for the a forementioned technically necessary purposes pursuant to Art. 6 para. 1 lit. f GDPR on our legitimate interest in providing a reporting channel for whistleblower.

7. AUTOMATIC DECISION-MAKING AND PROFILING

We do not use your personal data for automated decision-making including profiling.

8. DATA SECURITY

We use technical and organisational security measures to protect your personal data from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. In the case of collection and processing of personal data, the information is transmitted in encrypted form to prevent misuse of the data by third parties. Our security measures are continuously revised in line with technological developments.

All data transmitted by you is encrypted using the generally accepted and secure standard TLS (Transport Layer Security). TLS is a tried and tested standard that is also used, for example, for online banking. You can recognise a secure TLS connection by the appended "s" at the http (i.e. ...) in the address bar of your browser or by the lock symbol in the lower area of your browser.

9. YOUR RIGHTS

You may exercise your rights of access, of rectification and of objection, as well as of limited processing of your personal data in accordance with the respectively applicable data protection legislation. These rights are subject to any overriding safeguarding measures required to prevent the destruction of evidence or other obstructions to the processing and investigation of the case.

You have the right:

• revoke your consent at any time in accordance with Art. 7 (3) GDPR. This has the consequence that we may no longer continue the data processing based on this consent for the future;
• to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Art. 16 GDPR;
• pursuant to Art. 17 GDPR to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise, or defence of legal claims;
• to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller; and
• complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

In addition, you have a right to object in accordance with Art. 21 GDPR:

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(f) GDPR (data processing on the basis of a balance of interests); this also applies to any profiling based on this provision within the meaning of Article 4(4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If you wish to exercise your right of objection or any of your other data subject rights, please write to us at dataprivacy@sefe.eu.

If you have any issues, queries or complaints regarding the processing of your personal data for the purposes of the whistleblowing submissions you can contact our compliance team at compliance@sefe.eu.

10. UPDATE AND AMENDMENT OF THIS PRIVACY POLICY

This privacy policy is currently valid and has the status of September 2023.

Due to the further development of our services or due to changed legal requirements, it may become necessary to change this privacy policy in future.

[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). In this document, GDPR shall always be applied and interpreted in conjunction with the applicable national legal provisions (e.g. BDSG in Germany and DPA2018 with UK GDPR in the United Kingdom).