Whistleblowing policy

The code of conduct of REYNAERS ALUMINIUM (hereinafter referred to as ‘employer’) contains core values, standards and rules for the entire company, to be respected in our relationships with all our contacts: customers, suppliers, governments, shareholders and employees.

The employer sets high standards in terms of openness and integrity. In this context, the employer calls on its staff who are concerned about an (alleged) violation of the employer's code of conduct or about infringements of European and Belgian law as listed under title 3 to express these concerns without fear of reprisals, such as sanctions and/or unfair treatment.

A reporting procedure has been developed as a guideline for expressing such concerns. This procedure describes the protection that whistleblowers receive, as well as the manner in which a whistleblower can report a violation and the follow-up that will be given to it. The employer does not expect an individual whistleblower to be able to prove that an allegation is justified. However, they must be able to demonstrate that there are sufficient grounds to believe that something is wrong.

The general rule is that reports or suspicions of integrity violations should first be discussed with the immediate supervisor or their hierarchical superior. If this is not possible or does not lead to the desired response, the reporter can always contact the (internal/external) confidential advisor. This reporting procedure does not affect the rules on exercising the right to consult employee representatives or trade unions and on protection against unjustified disadvantageous measures as a result of these consultations.

However, if for any reason there are no other options available to raise the issue, the reporter can contact the internal reporting channel or an independent external reporting centre. If this is no longer possible, the reporter can make the violation public.

The organisation of the internal reporting channel, the procedures to be followed for internal reporting and the follow-up of reports are set up after consultation with the social partners.

Breach:

Acts or omissions that:

• are unlawful and relate to the areas listed in Article 3 “Scope of application,” or
• contravene the purpose or application of the regulations falling within the areas listed in Article 3.

Information about breaches:

Information, including reasonable suspicions, about actual or potential infringements that have occurred or are very likely to occur, as well as attempts to conceal such infringements.

Reporter:

A natural person who, in the context of their work-related activities, reports or discloses information about breaches verbally or in writing. A work-related activity or context refers to current or former professional activities in the private sector through which, regardless of the nature of those activities, persons may obtain information about breaches and where those persons may face reprisals if they report such information. The whistleblower may be a (future) employee, former employee, independent service provider, volunteer, paid or unpaid intern, (employee of a) customer, supplier or (sub)contractor, shareholder, or a person belonging to the administrative, management, or supervisory body of a company who has obtained information in a professional context about a possible violation that they wish to report.

Facilitator:

A natural person who assists a whistleblower in the reporting process and whose assistance must be confidential.

Person involved:

A natural person (e.g. a colleague) or legal entity (e.g. a company) who is mentioned in the report or disclosure as the person to whom the breach is attributed or with whom that person is associated.

Report manager:

The impartial person or service authorised to follow up on reports of breaches, maintain communication with the reporter, request additional information from them if necessary, provide them with feedback and, where applicable, receive and handle reports.

Reprisals:

A direct or indirect act or omission in response to an internal or external report or disclosure, which results or may result in unjustified detriment to the whistleblower.

Within the framework of this policy, a distinction is made between social integrity on the one hand and business integrity on the other.

Confidential work in the field of social integrity relates to undesirable behaviour such as bullying, discrimination on the basis of gender, age, disability, sexual orientation, sexual life, racial or ethnic origin, religious or philosophical beliefs, undesirable sexual behaviour, violence, etc. This requires a different approach. Although the employer considers undesirable behaviour to be a breach of integrity, it does not fall within the specific scope of whistleblower legislation.

Violations of business integrity, as specified below, on the other hand, include the handling of confidential information, equipment and goods, health and safety, and the nature of contacts with (potential) customers and suppliers. It also concerns breaches of integrity relating to accounting, financial, banking, auditing, bribery and competition matters.

The difference between the two is that socially undesirable behaviour often involves a directly identifiable complainant and defendant between whom the undesirable behaviour occurs, whereas business integrity issues can be identified and discussed without the person reporting them (e.g. as a victim) being directly involved. In practice, the distinction between social and business integrity is not always clear. As a guideline, undesirable behaviour is primarily directed against an individual, while other integrity violations are more likely to be directed against (the interests of) one's own organisation, external organisations or society as a whole.

The breaches of business integrity concern the following areas of European and Belgian law:

• Public procurement;
• Financial services, products and markets, prevention of money laundering and terrorist financing;
• Product safety and product conformity;
• Transport safety;
• Environmental protection;
• Radiation protection and nuclear safety;
• Food and feed safety, animal health and animal welfare;
• Public health;
• Consumer protection;
• Protection of privacy and personal data, and security of network and information systems;
• Infringements relating to the internal market of the European Union, such as infringements of state aid and competition rules: anti-competitive behaviour and agreements, abuse of pricing, abuse of dominant position, etc.;
• Tax fraud;
• Combating social fraud;
• Infringements affecting the financial interests of the Union.

It is these reports that must be made in accordance with the procedure described below in order to enjoy legal protection against reprisals.

a. Choosing the most appropriate reporting channel

A whistleblower has various methods at their disposal for reporting a breach. Social and interpersonal integrity breaches are best reported via the first three channels listed. Breaches that fall within the scope of the whistleblower procedure are best reported by the reporter using one of the methods listed below. Methods 4, 5, and 6 are specifically intended for business integrity violations within the framework of the whistleblower procedure and can only be used in that context.

1. A report of an (alleged) breach can initially be made to the manager.
2. If circumstances do not allow this or if the manager does not respond adequately to the report, the reporter can report an (alleged) breach to a local confidential advisor or the personnel department (HR).
3. The reporter also always has the right to consult their employee representatives or trade unions, and they will remain protected against unjustified adverse measures as a result of these consultations.
4. If the reporter believes that, for one reason or another, they cannot turn to these persons, they can make an internal report. An internal report is a report of a breach within a legal entity (the company) by providing written information about breaches via the internal reporting channel, the procedure for which is described in more detail under the heading “b. submitting a report via the internal reporting channel”.
5. After the reporter has used the internal reporting channel or, in the exceptional case that the reporter believes that he/she cannot use the internal reporting channel despite the guarantees prescribed in this policy (such as confidentiality, protection against reprisals, etc.), they may make an external report, either verbally or in writing, via the external reporting channel Federal Ombudsman (Whistleblowers) organised by the Government, as explained further under the heading ‘c. Submitting a report via the government's external reporting channel’.
6. A public report or disclosure of information about breaches is possible if the strict conditions set out under the heading ‘d. Disclosure of a breach in exceptional circumstances’ are met.

b. Submitting a report via the internal reporting channel

The whistleblower has the option of submitting an anonymous report. However, anonymous reports can have certain disadvantages:

• it is more difficult to follow up on the report because additional communication is more difficult with anonymous whistleblowers;
• it is more difficult for the company to protect an anonymous whistleblower against possible or rather subtle reprisals.

Reports must be submitted in writing via the Whistleblowers web application: Reynaers.sdwhistle.com

A report must contain at least the following:

• The name, address, position and contact details of the person making the report, unless they wish to remain anonymous;
• The date of the report;
• A detailed description of the (alleged) breach, such as:
  • a description of the (alleged) breach;
  • any attachments (documentation or evidence);
  • the identification of the possible person(s) or departments of the company involved;
  • where the breach occurred;
  • when the breach occurred;
  • how and when the reporter noticed the breach or was made aware of it;
  • your relationship with the company (employee, freelancer, supplier, shareholder, etc.), unless the reporter is making an anonymous report;
  • the impact of the incident (on the company, on the public interest, etc.)
  • and any other relevant information regarding the (alleged) breach.

The report is always recorded in a secure registration system equipped with the necessary technical and organisational security measures and access management.

The employer has appointed two report managers who are the most suitable persons within the organisation to manage the reports confidentially and independently without any risk of conflicts of interest. The report managers are: CHRO and Legal Counsel.

Admissibility and preliminary investigation

i. The report manager shall confirm receipt of the written report to the reporter within seven (7) days in all cases.

• The report manager will first check whether the report is admissible and will make an initial assessment. The primary purpose of this assessment is to evaluate the nature, reliability and accuracy of the information provided.
• Based on this assessment, the report manager may decide that the report is inadmissible, in which case he must inform the reporter in writing of the reason for rejection, or that they will conduct a further preliminary investigation.

b) If a preliminary investigation is initiated and the report manager considers that further investigation is necessary, an anonymised opinion will be submitted to the CEO and CFO after completion and with the consent of the reporter, unless (one of) these parties is involved, in which case this opinion will be submitted to the Chairman of the Board of Directors. This advice will set out the reasons for further investigation and include an initial action plan.

c) If the preliminary investigation reveals that the report is deliberately false, the file will be forwarded to the employer's personnel director for further action.

Investigation

a) Based on the aforementioned advice, the CEO, together with the CFO, will decide whether and with which investigation committee the investigation should be carried out: in each case supplemented by internal or external experts, or an external party supplemented by internal (staff) member(s) where appropriate.

b) The reporter will also be informed in writing that a thorough investigation is being launched.

c) The investigation committee will conduct the investigation within a reasonable period of time. As a general rule, this period shall not exceed three months after the confirmation of receipt has been sent to the reporter. Within this period, the reporter will also receive feedback on the follow-up, the measures planned or taken, and the reasons for that follow-up.

During the investigation and therefore also after the initial three-month period, the reporter will receive general information about the progress of the investigation and the outcome, unless the reporter does not wish this or it is detrimental to the reporter or the investigation, or unless there are other valid reasons for not informing the reporter.

Final report

The final report includes the following steps:

a) The investigation committee reports its findings in writing to the CEO and CFO, who decide what action should be taken.

b) The reporting manager informs the reporter that the investigation committee's findings have been sent to the CEO and CFO.

c) The identity of the whistleblower is protected in the final report, unless they have given their written consent to disclose their identity. The identity of the person(s) involved is only included if the investigation of the report has led to demonstrable facts.

d) If the investigation committee considers that sanctions should be imposed, it will provide a copy of the final report to the competent person in management.

c. Submitting a report via the government's external reporting channel

After first reporting the matter via an internal reporting channel, the (anonymous) reporter can report a breach via an external government reporting channel if no appropriate measures have been taken via the internal procedure. The reporter can also report the matter directly via the external government reporting channel.

The external reporting channel offers the possibility to make written and verbal reports. A verbal report can be made by telephone or other voice messaging systems and, at the request of the reporter, by means of a physical meeting within a reasonable period of time. The external government reporting channel can be accessed via this link:

https://www.federaalombudsman.be/en/whistleblowers/reporting-integrity-violations-or-breaches-of-law

The independent external reporting channel will send a confirmation of receipt within seven (7) days, unless:

• The reporter explicitly indicates that they do not want this; or
• The confirmation of receipt could jeopardise the protection of the reporter's identity.

The external reporting channel will provide feedback to the reporter within three months or, in special cases, six months, on the planned follow-up or measures taken and the reasons for that follow-up, unless a legal provision prevents this. The external reporting channel will inform the reporter of the final outcome of the investigations.

The competent authorities may decide that a reported breach is clearly minor or has already been the subject of previous reports on the same facts without any additional new elements, with the result that they close the procedure. The competent authorities shall inform the reporter of their decision and the reasons for it.

d. Disclosure of a breach in exceptional circumstances

An (anonymous) whistleblower who discloses a breach by making information about breaches publicly available (e.g. via the media) is eligible for protection if the following conditions are met:

1. The whistleblower has first made an internal or external report as prescribed under titles b) or c), but no appropriate measures have been taken; and,
2. The whistleblower has reasonable grounds to believe that:
   • the breach may pose an imminent or actual threat to the public interest; or
   • in the case of an external report, there is a risk of retaliation, or it is unlikely that the breach will be effectively remedied due to the particular circumstances of the case, for example because evidence may be withheld or destroyed, or an authority may collude with the perpetrator of the breach or be involved in the breach.

Conditions for protection

Reporters are protected if:

• They have reasonable grounds to believe that the reported information about breaches was accurate at the time of reporting and that this information falls within the scope of this policy. The whistleblower does not lose the benefit of protection on the sole ground that the report made in good faith has been found to be incorrect or unfounded; and
• They report the information through the internal or external reporting channel. The whistleblower also receives protection if they disclose the breach to the public, provided that they have first made an internal or external report.

Anonymous whistleblowers who have reported or made public information about breaches but are later identified and subject to reprisals are eligible for protection if they meet these conditions for protection.

The following persons and legal entities are protected if they have reasonable grounds to believe that the reporter is covered by the protection condition:

• Facilitators;
• Third parties associated with the reporters who may be subject to reprisals in a work-related context, such as colleagues or family members of the reporters;
• Legal entities owned by the reporters, for which the reporters work or with which the reporters are otherwise associated in a work-related context.

Confidentiality

The report manager, including authorised staff members who are responsible for receiving and following up on reports, keeps the identity of the reporter confidential. The report manager is also designated because of the confidential nature of the case and the identity of the reporter, and the independence of the service to avoid conflicts of interest. More specifically, during the handling of the report, it is prohibited to disclose the identity of the reporter or any information that could lead to the reporter's identity being discovered. The obligation of confidentiality also applies if an anonymous reporter can still be identified directly or indirectly through other information.

The report manager may only disclose the identity of the reporter:

• if the reporter gives their free and explicit (written) consent; or
• if the reporter themselves deliberately breaches confidentiality.

The confidentiality of identity will not apply if mandatory legislation requires disclosure in the context of investigations by national authorities or legal proceedings. The competent authority will inform the reporters in advance of the reasons for the disclosure, unless this would jeopardise the investigations or legal proceedings.

Anyone directly or indirectly involved in the handling of a report of a (suspected) breach is obliged to maintain confidentiality regarding everything entrusted to them or disclosed to them in connection with the report (such as the report itself, the preliminary investigation and the investigation itself) vis-à-vis anyone who is not authorised to have knowledge of it, insofar as such obligations arise from the nature of the matter.

The internal reporting channel for receiving reports is designed, structured and managed in such a way as to securely protect the confidentiality of the identity of the reporter and any third parties mentioned in the report, and to which unauthorised personnel have no access.

Preventing reprisals, such as sanctions or unfair treatment

Reprisals are direct or indirect actions or omissions that occur in a work-related context to the detriment of a whistleblower following an internal or external report or disclosure, and which lead or may lead to unjustified disadvantage for the reporter. Any form of reprisals, including threats and attempts at retaliation, is prohibited and includes, in particular:

1. suspension, temporary removal from service, dismissal or similar measures;
2. demotion or refusal of promotion;
3. transfer of duties, change of workplace location, reduction in salary, change in working hours;
4. withholding of training;
5. negative performance appraisal or employment reference;
6. imposing or applying a disciplinary measure, reprimand or other sanction, such as a financial penalty;
7. coercion, intimidation, harassment or exclusion;
8. discrimination, unfavourable or unequal treatment;
9. failure to convert a temporary employment contract into a permanent employment contract, in cases where the employee had a legitimate expectation that he would be offered permanent employment;
10. non-renewal or early termination of a temporary employment contract;
11. damage, including reputational damage, particularly on social media, or financial loss, including loss of turnover and loss of income;
12. blacklisting based on an informal or formal agreement for an entire sector or industry, as a result of which the person can no longer find employment in that sector or industry;
13. early termination or cancellation of a contract for the supply of goods or services;
14. withdrawal of a licence or permit;
15. psychiatric or medical referrals.

Reporters who act in accordance with this policy can report without jeopardising their position under employment law or fearing any other adverse consequences. This implies that they will not be disadvantaged in any way as a result of this question or report, provided that they act in good faith.

Reprisals against reporters as a result of a sincere report is considered a serious violation of this reporting policy, in which case the employer will take appropriate action to protect the whistleblower and to sanction those responsible for the reprisals.

Employees who believe they have suffered adverse consequences as a result of a report must notify the report manager as soon as possible. The victim of reprisals may also submit a substantiated complaint to the federal coordinator, who will initiate an out-of-court protection procedure if he has established a reasonable suspicion of reprisals.

The federal coordinator will verify with the employer whether there is reasonable suspicion of reprisals. The employer will respond to the federal coordinator's request within 20 days.

Misuse of the reporting procedure

The employer assumes that whistleblowers will report breaches in good faith. If, upon further investigation, the report manager cannot find confirmation for certain reports or if they prove to be unfounded, no measures will be taken against whistleblowers who have expressed their concerns in good faith.

However, the employer cannot allow reporters to deliberately submit reports that they know or should know to be false. The employer will appropriately sanction deliberately false reports in accordance with the sanctions prescribed in the employment regulations. Reporters acting in bad faith may be held liable for any damage suffered by anyone as a result of false reports.

Reporters who have deliberately reported or disclosed false information may be prosecuted for defamation or damage to the reputation of individuals.

The employer is the controller of personal data in the implementation of this reporting procedure. This implies that both the reporter and the persons involved can contact the employer to exercise their rights to information, access, rectification, portability and erasure of data, subject to the following restrictions:

• The person involved (the subject of the reported breach) has no right to access the identity of the reporter or that of third parties (or elements that could enable their identification), unless with their consent or in the event of a false report or defamatory allegation by the reporter or false testimony by a third party;
• Nor does the reporter have the right to access the personal data of the accused or of a third party, unless an investigation reveals that the accused has wrongfully suspected the reporter (e.g. by claiming that the reporter was himself involved in the malpractice they reported) or when third parties act in bad faith (e.g. false testimony).
• The personal data of the parties involved will not be deleted as long as the internal and/or external (police/judicial/administrative) investigation is ongoing.

The employer has engaged a third party, SD WORX, to implement the reporting procedure for Reynaers Aluminium in order to guarantee the confidentiality of reports and ensure efficient administrative processing.

Your personal data will not be sent to third countries that do not provide an adequate level of protection for your personal data.

During the reporting procedure, in addition to the facts, the name, position and contact details of the reporter and the accused will also be processed. The processing of this personal data is necessary within the framework of the Act of 28 November 2022 on the protection of whistleblowers who report breaches of Union or national law within a legal entity in the private sector (Art. 6, §1, c) GDPR). The transfer of a report to a processor (a service provider such as a cloud storage provider or tool for managing reports) may be based on the legitimate interests of the employer to process this data efficiently for the purposes of managing reports, ensuring anonymity, access management, etc. (Article 6, §1, f) GDPR).

You can always contact us at privacy@reynaers.be if you have any further questions about the safeguards taken to protect your personal data and about the processing of your personal data in the context of the reporting procedure, or to request your right of access to, correction or transferability of data, or deletion of your personal data, insofar as the exercise of these rights falls within the legal conditions.

If, after contacting your employer, you still wish to lodge a complaint regarding the processing of your personal data, you can contact the competent supervisory authority, namely the Data Protection Authority.

The government body responsible for the external reporting channel acts as the controller. This means that, in the case of external reports, you can contact the government to exercise your rights.

The competent authorities and the Federal Institute for the Protection and Promotion of Human Rights (accessible via this link: https://federaalinstituutmensenrechten.be/en/do-you-have-any-questions-contact-us or via info@firm-ifdh.be) will inform and advise you on support measures, such as:

• information and advice on the available remedies and procedures offering protection against reprisals, as well as on the rights of the person involved;
• technical advice regarding authorities involved in the protection of the reporter;
• legal aid and financial assistance in the context of legal proceedings;
• technical, psychological, media-related and social support.

The personal data processed within the framework of the reporting procedure will not be retained for longer than is necessary for internal and/or external (police/judicial/administrative) investigations. In the event of police, administrative, judicial or disciplinary proceedings, the data will be archived after the expiry of the applicable limitation period or appeal period, or retained for a maximum of two months thereafter.

The violations listed in ‘3. Scope of application’ of this policy concerning the reporting procedure and established in the final result of the investigation of a complaint via this reporting procedure may give rise to sanctions (including warnings, dismissal for urgent reasons) as described in the employment regulations or the employment contract.

In addition to these sanctions under labour law, the person involved or the reporter may, depending on the nature of the violation and the applicable legislation, incur additional sanctions, such as criminal sanctions and damages.

In order to ensure that this reporting procedure is properly embedded, management will undertake the following activities:

• Ensure that this procedure is available and known to all employees;
• Take all matters relating to reports of integrity violations very seriously, take timely action and guarantee confidentiality and care.

This procedure may be subject to regular review.