Internal Information System Policy

EUROAMERICAN FINANCIAL ADVISORS EAF, SL

Index

…… Preparation, approval and version history 3
……. Introduction and purpose of the policy 4
…… Reference regulations 4
…… Scope of application 4

…… Responsible for the internal information system 5
…… General principles of action and guarantees of the system 6
…… Internal Complaints Channel 8
……. External Reporting Channels 8
…… Processing of personal data 9
…… Approval, review and publicity of the policy 9

Preparation, approval and version history

ELABORATION:	AFI-FINREG COMPLIANCE SOLUTIONS, SL
APPROVAL:	Responsible		Board of Directors
	Date 1st Approval		5/12/2023
CURRENT VERSION:	v.1	Brief description		Approval Date
		Internal Information System Policy		5/12/2023
UPDATE HISTORY	Update Date	Update Detail / Reason		Approval Date

Introduction and purpose of the policy

In accordance with the provisions of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and its transposition into Spanish law, by Law 2/2023 of 20 February on the protection of persons who report breaches of regulations and the fight against corruption, private sector entities subject to the scope of the regulations on the prevention of money laundering or the financing of terrorism must have an internal information channel.

In compliance with this obligation, EUROAMERICAN FINANCIAL ADVISORS EAF, SL (hereinafter, “EAFA”, or the “Entity”, or the “Company”) has prepared this Internal Information System Policy (the “Policy”) which develops the basic principles of the internal information system or Complaints Channel of the Entity.

The purpose of this system is to be able to receive confidentially or anonymously any possible irregularity or act that is suspected or known to be improper or contrary to current legislation or the internal regulations of EAFA.

Reference regulations

Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption (“Law 2/2023”).
Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism (“Law 10/2010”).
Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (“MiFID II”).
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Regulation 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (“Market Abuse Regulation”).

Scope of application
- Subjective scope of application

The subjective scope of application of the Policy is all employees, senior managers and members of the board of directors of EAFA (hereinafter, “Covered Persons” ).

Likewise, any person who works for or under the supervision of the Company’s suppliers may also use this system.

It may also be used by all those persons who have had an employment or statutory relationship with EAFA that has already ended, volunteers, interns, workers in training periods regardless of whether or not they receive remuneration, as well as those whose employment relationship has not yet begun, in cases where the information on infringements has been obtained during the selection process or pre-contractual negotiation.

Objective scope of application.

Through the facts reported in the Reporting Channel, any possible irregularity or act that is suspected or known to be improper or contrary to current legislation or the internal regulations of EAFA, committed within the Entity or its activity, can be made known.

Specifically, they may report violations contained in Article 2 of Law 2/2023, that is, those that:

may constitute infringements of EU law provided that they fall within the scope listed in the Annex to Directive 2019/1937 and affect the EU’s financial interests or impact on the internal market. Issues detailed in the Annex to that Directive include:
- financial services, products and markets,
- prevention of money laundering and terrorist financing,
- protection of investors and consumers,
- protection of privacy and personal data, and security of networks and information systems,
may constitute a serious or very serious criminal or administrative offence. In any case, all serious or very serious criminal or administrative offences that entail financial losses for the Treasury and for Social Security shall be deemed to be included.
may constitute violations of the Entity’s internal policies and procedures.

Responsible for the internal information system

The Board of Directors of the Entity will appoint a Person Responsible for the Internal Information System who, in all cases, will have a management position.

This person will act autonomously and independently from the rest of the Entity’s bodies.

In addition to this person in charge, only those persons who, due to the performance of their duties in the Entity, should have access to the complaints will have access to them, such as those persons in charge of the control functions necessary for their effective processing.

Likewise, exceptionally, persons with human resources management and control functions in the Entity may access the complaints, in the specific case that it is necessary to proceed with the adoption of disciplinary measures against a Person Subject to the Data.

Furthermore, the Entity has a Data Protection Officer who will review the processing carried out.

principles of action and guarantees of the system

The general principles of action of the Internal Information System are as follows:

Confidentiality: The internal information system will guarantee confidentiality in relation to the identity of the informant, the persons mentioned in the communication, the information communicated and the actions that are developed as a consequence of the processing of the communication.

In any case, the provisions of data protection regulations will be followed in the investigation process, especially with regard to the identity of the informant or any other information related to personal data. Likewise, any personal data that is not necessary for the effective investigation and processing of complaints will not be collected and, where appropriate, will be deleted without undue delay if it is collected accidentally.

Anonymity: Whistleblowers will be provided with a channel that allows them to submit complaints anonymously should the whistleblower so choose.
Independence and autonomy: During the processing of the procedure, any situation that may entail a potential conflict of interest will be avoided at all times, thus guaranteeing the independence and impartiality of the Person Responsible for the Internal Information System, as well as of any person within the staff who may intervene in it.

In addition, the following rights will be guaranteed in the internal information system:

Protection of whistleblowers: A system of protection for whistleblowers against possible reprisals will be guaranteed. Therefore, acts constituting reprisals, including threats of reprisals and attempts at reprisals against persons who submit a communication in accordance with the Internal Information System Procedure, are expressly prohibited.

That is, persons who report possible violations will be entitled to protection provided they have reasonable grounds to believe that the information referred to is true at the time of communication or disclosure, even if they do not provide conclusive evidence.

Reprisal is understood to mean any act or omission that is prohibited by law, or that, directly or indirectly, entails unfavourable treatment that places the person affected at a particular disadvantage compared to another person in the workplace or professional context, solely because of their status as informants, or because they have made a public revelation. An exception is made in the case where said act or omission can be objectively justified in light of a legitimate purpose and the means to achieve said purpose are necessary and appropriate.

For the purposes of Article 36.3 of Law 2/2023, the following are considered retaliation:

Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including non-renewal or early termination of a temporary employment contract after the trial period has passed, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotions and any other substantial modification of working conditions and non-conversion of a temporary employment contract into an open-ended one, if the employee had legitimate expectations that he or she would be offered an open-ended job; unless these measures were carried out within the regular exercise of management power under the corresponding labour legislation or legislation regulating the public employee statute, due to proven circumstances, facts or infringements, and unrelated to the submission of the communication.
Damage, including reputational damage or financial loss, coercion, intimidation, harassment or ostracism.
Negative evaluation or references regarding work or professional performance.
Inclusion on blacklists or dissemination of information in a particular sector, which hinders or prevents access to employment or the contracting of works or services.
Denial or cancellation of a license or permit.
Denial of training.
Discrimination, or unfavorable or unfair treatment.

The whistleblower whose rights have been violated due to his communication after the two (2) year period has elapsed, may request protection from the competent authority, which, exceptionally and in a justified manner, may extend the protection period, after hearing the persons or bodies that could be affected.

Rights to the presumption of innocence and honour: The presumption of innocence and honour of the persons affected is guaranteed, as well as the right to be heard.
Right to information: Persons who may be affected by an internal investigation have the right to be informed of the communication made against them as soon as the appropriate checks have been made, the file has been admitted for processing and it is considered appropriate to guarantee the successful completion of the investigation.

The moment in which the person under investigation is informed will vary depending on the circumstances of each case. An attempt will be made to inform the person under investigation as soon as possible, but always with the aim of preserving the evidence and preventing its alteration or destruction by the accused.

In cases where the Person Responsible for the Whistleblowing Channel considers that there is a risk that the person under investigation may alter or destroy evidence related to the reported facts, or that the information to the whistleblower may hinder the achievements of the eventual investigation, in accordance with the exceptions of article 14.5 RGPD, and always at the discretion of the Person Responsible for the Whistleblowing Channel, they may avoid communicating said information to the whistleblower until the time of the hearing procedure.

Likewise, in accordance with the requirements of the GDPR, the complainant may exercise his or her rights of access, rectification, deletion and opposition, limitation of processing and portability obtained through this Channel by contacting the security officer, through the email address of the data protection officer: (privacy@eurousafa.com)

Record keeping : All complaints and queries received through the Complaints Channel, the answers given to the complainant, all documentation generated in the investigation, interviews, etc. will be kept in the Entity’s registry book in accordance with the provisions of the applicable regulations on personal data protection and for the time strictly necessary for the purposes of carrying out the investigation or to apply the appropriate measures to defend the interests of the Entity. In no case may the data be kept for a period longer than ten (10) years.

The data of the person making the report and of the employees and third parties must be kept in the Reporting Channel only for the time necessary to decide whether to initiate an investigation into the reported events.

In any case, after three (3) months from the introduction of the data, they must be deleted. Communications that have not been processed may only be recorded in an anonymous form, without the obligation to block them being applicable.

After the period mentioned in the previous paragraph has elapsed, the data may continue to be processed by the corresponding body for the investigation of the reported facts, and will not be kept in the Reporting Channel itself.

Internal Complaints Channel

The Entity has the following means through which reportable facts and conduct described in section 4 may be communicated:

Email address: eafa@eurousafa.com
Physical mailbox at the Entity’s offices

In order to guarantee the anonymity of those informants who so wish, a physical mailbox will be established. The physical mailbox will be located at Plaza de Villasis, 2, Suite 210, 41003, Seville, Spain.

At the request of the informant, communication of the reportable facts may also be made through a face-to-face meeting, following a formal written request. Verbal communications made through a face-to-face meeting must be documented in one of the following ways, with the prior consent of the informant:

by recording the conversation in a secure, durable and accessible format, or
through a complete and accurate transcription of the conversation conducted by the staff responsible for handling it.

Without prejudice to the rights that apply to him/her under data protection regulations, the informant will be offered the opportunity to check, rectify and accept the transcription of the conversation by signing.

External reporting channels

The supervisors, depending on the regulatory scope, have specific channels where complaints regarding the facts and conduct that can be reported on their websites can be submitted. In any case, these authorities guarantee that the complaint can be submitted both in writing and verbally.

The authorities that have specific channels are the following:

Independent Whistleblower Protection Authority[1]
Bank of Spain: https://www.bde.es/wbe/es/para-ciudadano/gestiones/canal-de-denuncias-del-banco-de-espana/
National Securities Market Commission: https://www.cnmv.es/portal/whistleblowing/presentacion.aspx
Spanish Data Protection Agency : https://www.aepd.es/la-agencia/transparencia/canal-proteccion-informante

Processing of personal data

Personal data that may be processed in the course of a file within the Whistleblower Channel Procedure will be treated with the utmost confidentiality. The controller of said data is EAFA.

The purpose of processing personal data in the Whistleblowing Channel is to manage the communication of irregular conduct when the user wishes to report suspicions of irregular conduct, illegal acts or regulatory breaches. EAFA may obtain data directly from the whistleblower or from third parties (e.g. witnesses, investigated, EAFA areas, expert or police reports).

Users of the Complaints Channel may exercise their rights of access, rectification, deletion, opposition, limitation of processing and portability, with respect to the processing for which EAFA is responsible, by writing to EAFA at the address indicated above, proving their identity, or by email to the following email address: (eafa@eurousafa.com)

Approval, review and publicity of the policy

This Policy will be available on the Entity’s website and will be effective and enforceable for all competent persons from the time of its publication.

The approval of this Policy corresponds to the Board of Directors of the Entity, as well as any subsequent modifications that may occur. The Policy will be updated and/or modified, at least, in the following cases:

when legal or regulatory changes occur that affect the Policy.
at the proposal of Regulatory Compliance when it is understood that there are aspects that can be improved to achieve the proposed objectives or to suitably adapt to the characteristics of the services offered by the Entity at any given time.

Without prejudice to the foregoing, a review of the Policy will be carried out at least once a year, using internal or external means.

[1] Not yet established.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.