Criminal Compliance and Anti-Corruption Policy

Purpose of FAE’s Criminal Compliance and Anti-Corruption Policy

FRANCISCO ALBERO SAU, hereinafter referred to as FAE, is committed to managing its legal and regulatory compliance obligations in Spain, as well as in all other countries where it operates and markets its products through partners, distributors, or commercial representatives.

As part of this commitment, FAE has implemented a Criminal Compliance and Anti-Corruption Management System (SGCPA, according to it’s acronym in Spanish). This system is designed to identify and manage legal risks and ensure that its governing body, senior management, employees, and, where applicable, its business partners are aware of their legal obligations. Each party, in their respective roles, is expected to contribute to fostering an ethical and sustainable culture within FAE.

As part of FAE‘s efforts to implement the SGCPA, this Criminal Compliance and Anti-Corruption Policy has been developed. It serves as the reference framework for the SGCPA and the obligations and commitments assumed by FAE.

This document will establish:

• The scope of the SGCPA
• Conduct and risk parameters
• The organizational measures and compliance functions within FAE
• The obligations related to communicating the system’s operation
• The obligations related to setting up channels for reporting information on complaints or irregularities
• The consequences of non-compliance with both the SGCPA requirements and the conduct parameters
• The criteria for reviewing and updating the Criminal Compliance and Anti-Corruption Policy

2. Scope of the Criminal Compliance and Anti-Corruption Management System (SGCPA)

The SGCPA will apply to:

2.1. Subjective scope

The SGCPA will apply to activities carried out by:

• FAE partners when acting on behalf of the company
• FAE senior management in the performance of their contracted duties
• FAE employees during their functions
• FAE business partners, insofar as the contractual or commercial relationship may generate regulatory compliance risks.

2.2. Objective scope

All activities carried out by any of the subjects mentioned in the subjective scope, which are performed on behalf or representation of FAE or as a result of the employment or contractual relationship between any of the subjects and FAE, may be analysed, investigated, documented, reviewed, or supervised by the compliance officer within the SGCPA if they are considered to represent or potentially represent a criminal or corruption risk.

The objective scope of the SGCPA includes behaviours that:

• Could generate corporate criminal liability under the Penal Code
• Involve bribery, corruption, or any business practice contrary to ethical standards
• Any other behaviour likely to generate criminal liability, as deemed relevant by the compliance officer and included in FAE’s risk map for management

2.3. Territorial scope

FAE has commercial interests in various countries and sells products either directly or through authorized distributors or commercial representatives in several countries within the European Community and around the world.

Activities carried out by any of the subjects listed in section 2.1, in any country where FAE operates, whether it has a physical presence, may be analysed, investigated, documented, reviewed, or supervised by the compliance officer within the SGCPA, provided that such activities are considered to represent or potentially represent a regulatory compliance risk.

3. Conduct parameters

3.1 Identification and analysis of legal risks

FAE has conducted a process of identifying and analysing risks, encompassing behaviours that, if materialized, could compromise the organization’s criminal liability or involve corrupt practices. Based on this analysis, the risk level of each behaviour has been determined according to its probability and impact.

The catalogue of behaviours included in the SGCPA encompasses those crimes that generate liability for the legal entity, as established in the Penal Code, as well as behaviours that could be categorized as bribery or corruption, following the standards of UNE 19601 on criminal compliance management systems and the UNE/ISO 37001 standard on anti-bribery management systems.

The compliance officer may add new risks to the catalogue of behaviours, whether they generate criminal liability for the legal entity, if they pose a significant legal impact for the organization. All identified risks will be analysed, evaluated, and controls will be determined for their management.

Behaviours that represent a risk level higher than low must be accompanied by specific controls aimed at eliminating, mitigating, or managing those risks. Controls may also be established for risks considered low if the compliance officer deems there is reasonable cause to implement the control.

The compliance officer is responsible for reviewing risks, defining controls, determining the frequency of their review, and assessing their effectiveness.

The governing body and senior management are committed to overseeing the effectiveness of the controls and approving the human, technological, and financial resources necessary for the functioning of the SGCPA.

3.2 Expected behaviour of applicable subjects

All subjects to whom the Policy applies are expected to:

1. Comply with regulatory compliance obligations covered by the SGCPA
2. Adhere to the requirements of the SGCPA

While everyone is responsible for knowing and complying with the laws and regulatory framework applicable to FAE, the compliance officer will communicate the risks and controls to each first-line area, which must ensure regulatory compliance within their functions.

Non-compliance with legal obligations will be considered regulatory non-compliance and will be subject to disciplinary sanctions, in accordance with applicable legislation. Non-compliance with SGCPA requirements will be considered non-conformance.

4. Organizational measures

4.1 Compliance Officer

The compliance officer is the person designated to oversee compliance with the Criminal Compliance and Anti-Corruption Policy, the Code of Ethics and Conduct, and the SGCPA, as well as the associated policies and procedures.

However, all members of the organization, based on their level of authority and responsibility, are co-responsible for ensuring regulatory compliance and the success of the SGCPA.

The compliance officer must have:

• Independence: to identify and analyse risks, propose controls, initiate investigations, and present recommendations to the governing body and senior management of FAE
• Budgetary Autonomy: The compliance officer must have a budget aligned with the needs of their area
• High-level Contact: to report on risk situations and propose recommendations on matters that could impact operational areas, minimizing conflicts of interest that may arise with intermediaries

The compliance officer’s functions include:

• Promoting and implementing actions to ensure the maximum effectiveness of the SGCPA. This involves monitoring compliance objectives, driving an annual Compliance action plan, supporting members of the organization in regulatory compliance, and evaluating the suitability of implemented controls.
• Ensuring that periodic training on regulatory compliance is included in FAE’s Annual Training Plan, especially in areas where the risk level is considered high or medium
• Promoting the progressive inclusion of Compliance responsibilities in job descriptions and performance management processes
• Receiving, investigating, and managing information submitted through the Ethical Whistleblowing Line, addressing it responsibly and promptly, while respecting the rights of all involved parties and taking measures to prevent retaliation, in accordance with the Ethical Whistleblowing Policy
• Measuring the performance of the SGCPA using objective, clear, measurable, and reasonable indicators aimed at continuous improvement
• Identifying and managing compliance risks arising from the activities performed by the subjects covered in this Policy
• Ensuring the periodic review of the SGCPA
• Ensuring that FAE members, and their business partners where relevant, have timely access to the Code of Ethics and Conduct, FAE’s policies, and the ability to consult with the compliance officer when appropriate
• Reporting the results of the SGCPA’s application to the governing body

4.2 Governing body

The governing body, composed of those appointed as administrators or members of the Board of Directors, must demonstrate leadership and commitment to the SGCPA by actively promoting a culture of regulatory compliance within the organization.

The governing body of FAE must fulfil the following obligations:

• Promote a culture of Compliance through exemplary behaviour and defending the values and Code of Ethics and Conduct of FAE
• Ensure the effectiveness of the SGCPA by periodically reviewing actions to ensure they have a real and tangible impact on the organization and its members’ behaviour
• Appoint the compliance officer, granting them the necessary powers of initiative and control, and providing them with adequate and sufficient financial, material, technological, and human resources to carry out their duties effectively
• Periodically evaluate the effectiveness of the system and determine if it is necessary to modify the scope of the SGCPA in the event of:

• • Legislative or jurisprudential changes
  • Significant changes in the structure or activities of the organization
  • Any other circumstances that may compromise the proper functioning of the SGCPA

• Consider the recommendations made by the compliance officer and make decisions regarding matters raised by the governing body concerning the SGCPA or the risks associated with compliance obligations and requirements
• Ensure the establishment of decision-making processes within FAE that uphold high standards of behaviour and contribute to the development of a culture of regulatory compliance and transparency
• Approve and modify the Criminal Compliance and Anti-Corruption Policy of FAE when legislative changes occur, organizational structure changes, or any other circumstances warrant it, as determined by the governing body or the compliance officer’s recommendations

4.3 Senior management

Senior management, comprised of FAE’s leadership team, is committed to regulatory compliance and maintains exemplary conduct, actively contributing to the implementation of the SGCPA.

Senior management FAE is responsible for:

• Ensuring the SGCPA is effectively implemented across all levels of the organization
• Ensuring that the requirements and demands of the SGCPA are effectively integrated into FAE’s operational processes and procedures
• Guaranteeing the availability of adequate and reasonably sufficient resources for the effective execution of the controls established under the SGCPA framework of FAE
• Complying with and enforcing the Criminal Compliance and Anti-Corruption Policy at all levels of the organization
• Communicating the importance of complying with SGCPA requirements within and outside FAE, particularly to those whose actions may compromise the organization’s liability
• Promoting continuous improvement of the SGCPA and collaborating with the compliance officer to identify risks and opportunities
• Promoting the Ethical Whistleblowing Policy and encouraging the use of the channel and other means for personnel to report irregularities or suspected irregularities and raise questions or concerns
• Ensuring that no member of the organization is subjected to retaliation or disciplinary action for using the ethical whistleblowing line in good faith to report irregularities, suspicious situations, or for refusing to engage in improper conduct

4.4 Affected entities and individuals

All members of FAE must contribute to the implementation of the SGCPA, alongside the compliance officer, administrators, and senior management.

• A. Common Obligations of FAE Employees:

All FAE employees are obliged to:

• Always act according to the highest ethical standards, complying with the law, the Code of Ethics and Conduct, and policies designed to ensure regulatory compliance
• Report any irregularities they are aware of that may violate the law, the Code of Ethics and Conduct, or FAE’s policies to the compliance officer
• Collaborate with the compliance officer in investigating any improper conduct or non-compliance with SGCPA requirements
• Attend training and awareness sessions on Compliance organized by FAE

• B. Obligaciones comunes a los Socios de Negocio de FAE.

FAE expects its business partners (strategic allies and suppliers) to always act in compliance with the law and business ethics, and therefore:

• Comply with legal obligations and refrain from engaging in irregular conduct that violates the Constitution, laws, and regulations in any dealings with FAE
• Act ethically in business, avoiding any corrupt practices or attempts to unduly influence public officials to gain a benefit
• Respect the rights of their employees and collaborators, avoiding any abusive, degrading, or discriminatory labor practices, or those that could be classified as modern slavery according to international human rights organizations

The compliance officer will establish the guidelines under which those business partners who are strategic due to their volume of business or level of involvement must adhere to FAE’s Code of Ethics and Conduct or comply with one or more of the organization’s internal policies.

In accordance with UNE 19601, entities controlled by FAE must implement the necessary control measures to ensure regulatory compliance within their environment.

5. Awareness of the Criminal Compliance and Anti-Corruption Policy

The Criminal Compliance and Anti-Corruption Policy will be communicated and made available to all those with a legitimate interest in understanding it.

The obligations of each applicable subject will be communicated in a timely manner and in the formats deemed appropriate by the Compliance Officer.

6. Communication of behaviours

FAE will provide communication channels to its members, business partners, and any person with a reasonable interest in its activities, allowing them to promptly report any irregularity or suspicion of irregularity they become aware of to the Compliance Officer.

The channels, process, and protocol for receiving, investigating, and managing complaints, as well as the rights of the involved parties, will be governed by the Whistleblowing Policy.

7. Consequences of Non-Compliance

The Compliance Officer, or their designee, must investigate possible non-compliances and determine their magnitude and implications, assessing the nature, causes, and consequences, and whether they constitute non-compliances or non-conformities.

Once the investigation is complete, the Compliance Officer will recommend to the Administrators or senior management, as appropriate, disciplinary or contractual sanctions deemed proportional to the risk or damage caused, as well as any necessary corrective actions.

Disciplinary actions of a labour nature executed by FAE will be lawful and in full compliance with the applicable Collective Agreement, and in its absence, with the Workers’ Statute, following the procedure and determining the sanction according to the severity of the behaviour.

8. Review of the Criminal Compliance and Anti-Corruption Policy

The Criminal Compliance and Anti-Corruption Policy will be reviewed by the Compliance Officer and approved by the Administrators, as provided within the policy.

The Compliance Officer will periodically and continuously review the legal risks of FAE and inform the Governing Body of any activities affected by new risks arising from legislative changes, changes in activities, or when circumstances require.

9. Approval

The Criminal Compliance and Anti-Corruption Policy has been approved by the Sole Administrator Francisco Marro Burrel on November 30, 2023.