DATE OF ISSUE JANUARY  2025

Objective:

Establishment of a channel and a procedure for internal reports and complaints, as well as for monitoring these through an email address and a telephone line operating 24 hours a day, 7 days a week. This channel and procedure provide recipients with the ability to promptly report any confirmed or potential incident of legal or regulatory violation, any irregularity, inappropriate or illegal conduct, as well as any questionable practice or deviation from the company’s policies and procedures.

Key points:

1. Scope
2. Definitions
3. Report submission process

Recipients:

Employees and workers regardless of their contractual status, including staff on a project basis, independent service providers, on a remunerated mandate, persons working under the supervision and direction of third-party service providers, trainees including interns, former employees, but also people applying for a job in the company, trading or collaborating with the company.

1. Scope

DEMO is committed to conducting its business activities with integrity and always in compliance with applicable national and European legislation, regulatory framework, company policies and procedures, the Code of Ethics and Professional Conduct, as well as any other code of conduct that the company implements and follows. Irregularities and deviations from corporate policies and procedures as well as misconduct that violates applicable national or European laws and regulations or the Code of Ethics and Professional Conduct may occur in the workplace and they are not in line with company commitments. The company must provide its employees with the necessary means of defense and protection against such incidents and behaviors, encouraging them to speak openly and submit relevant reports and complaints.

For this reason, the company provides the option of an email address and a complaint reporting hotline (SpeakUp) through which reports and complaints can be submitted 24 hours a day, 7 days a week.

A report can be submitted either within the Company by sending an email to the address: yppa@demo.gr or through the complaint reporting hotline (SpeakUp) and will then be forwarded to the Responsible for Receipt and Monitoring of Reports (RRMR). Alternatively, it can be submitted outside the Company directly to the competent authority, namely the National Transparency Authority.

The Responsible for Receipt and Monitoring of Reports (RRMR) is the Director of the Legal Department – Compliance Department.

The purpose of this policy is to establish, in addition to the traditional channels, a channel and a process for internal reports and complaints, as well as for monitoring them through email or a telephone line operating 24 hours a day, 7 days a week, and to strengthen DEMO’s commitment to an open reporting and complaint submission process, where employees are encouraged to raise issues of misconduct they may have identified.

In today’s environment, employees remain DEMO’s first and best line of defense against misconducts. By detecting and reporting misconduct, employees can help DEMO maintain all its key principles by taking immediate remedial action to correct any misconduct, preventing future incidents and ensuring a healthy and friendly work environment for all employees.

We acknowledge that early detection and reporting of misconducts depends on maintaining a climate of trust, confidentiality and integrity, in which all employees:

(a) Are encouraged to report possible misconduct as soon as possible, knowing that their concerns will be taken seriously and that appropriate action will be taken;

(b) Are familiar with and can effectively use all available channels and procedures to report breaches’ concerns while maintaining, if they wish so, their anonymity; and

(c) Have confidence that the reporting process remains confidential, with no tolerance for retaliation or adverse treatment of any kind.

This policy applies in all company’s current facilities in Athens and Thessaloniki and in any future facility in Greece and abroad as well as in places where corporate meetings, conferences and all kinds of company events take place, either live or online including telephone interactions, and in places in which services are provided by DEMO employees in the context of their work. DEMO complies with all measures and obligations relating to the implementation of the provisions of Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons reporting breaches of Union law adopted on October, 23 2019 and entered into effect on December 16, 2019, as well as with Law 4990/2022 and the applicable legislation.

2. Definitions

Definitions Any behavior that violates applicable national and European law and regulations, company policies and procedures as well as the Code of Ethics and Professional Conduct is defined as misconduct or law or regulation violation. Both information and reasonable suspicion of actual or potential breaches that have or may be committed are protected in this regard.

Indicative misconducts or incidents of violation of law or regulation that may be the subject of a report include:

• fraud or theft
• bribery or corruption
• criminal activities
• human rights violations
• breaches of competition law
• discrimination / harassment
• acts, practices or threats thereof, which are intended to lead to, or may result in, physical, psychological, sexual or financial harm
• financial, accounting or control irregularities
• forgeries of documents or files
• conflicts of interest
• abuse of confidential information
• environmental issues, health and safety issues
• acts of retaliation
• breaches of public procurement
• public health violations
• consumer protection violations
• violations regarding privacy and personal data protection, network and information systems security, etc.

The term employee refers to employees and workers regardless of their contractual status, including staff on a project basis, independent service providers, on a remunerated mandate, persons working under the supervision and direction of third-party service providers, trainees including interns, former employees, but also people applying for a job in the company, trading or collaborating with the company.

A report is defined as an oral or written description of incidents of legal or regulatory violations that have occurred or are likely to occur.

3. Report submission process

a) Process description

Any employee who is aware of a law or regulation breach, either because he/she has been the victim of such an incident or because he/she has witnessed it or has reasonable suspicions that such an incident is about to occur, may submit an anonymous or signed report by sending an email to the address yppa@demo.gr or via the complaint reporting hotline 8004000005 (SpeakUp), which operates 24 hours a day, 7 days a week. The line is operated by an independent external partner.

The telephone reporting process consists of the following steps:

1. The whistleblower calls 8004000005, the 24/7 telephone reporting line (SpeakUp).
2. Initially, the caller is asked to choose between the Greek or the English language in order to proceed to the following steps of the process.
3. Then, the whistleblower is informed that the report will be recorded (caller’s consent needed) and that the company is committed to manage the report in a way that ensures confidentiality and the protection of the Employee from any potential form of retaliation.
4. The user is prompted to enter 1 if they are an employee or former employee, or 2 if they are a partner
5. Finally, the caller is asked to make a brief and comprehensive report of the breach. The maximum duration of the report is three (3) minutes.

b) Information to be included in a report

The report should be complete, objective and contain at least a brief description of the incident, the place where it took place, the time of occurrence and the parties involved. The report should be made in good faith, based on true facts and unselfishly, without expectations for any monetary satisfaction or profit in return. False and unsubstantiated allegations will not be tolerated and may lead to disciplinary misconduct.

c) Anonymous Report

Reports can be anonymous or signed. DEMO takes every reasonable measure to ensure the confidentiality of report management in order to minimize the risk of revealing the identity of whistleblowers using the SpeakUp service.

If the caller chooses to submit an anonymous report, he / she should provide sufficient details to allow the proper investigation of the reported breach incident.

d) How DEMO ensures the confidentiality of reports

The SpeakUp telephone service is provided by an independent external partner, which further ensures the confidentiality and complete anonymity of employees. In any case, the individuals handling the report are bound by a strict confidentiality obligation regarding the identity of the person making the report, as well as any third party named in the report. Specifically, the identity of the reporter is not disclosed to anyone other than the Responsible for Receipt and Monitoring of Reports (RRMR). The same applies to any other information from which the identity of the reporter could be inferred, directly or indirectly. Exceptions to the above apply only in accordance with the relevant provisions of the applicable legal framework.

Details that could lead to the identification of the user of the SpeakUp service are not disclosed without their consent, except to the RRMR. The only exception is if this is required by law or if there is a significant public interest at stake.

Personal data that may be disclosed are processed in accordance with current Personal Data Protection legislation (GDPR) with which both the company and the external partner providing the SpeakUp service are fully compliant. Personal data that are not explicitly related to the handling of a particular report are not collected or, if collected inadvertently, they are deleted without undue delay.

e) Post report submission process

Immediately after a report is submitted by a user of the SpeakUp service via the reporting hotline, the report is forwarded to the RRMR, after being transcribed and pseudonymization in accordance with the applicable data protection legislation, it is appropriately investigated in cooperation with the investigation committee.

The same procedure is followed in the case of a report being submitted via the email address: yppa@demo.gr, once the RRMR receives the written report, it is forwarded in pseudonymized form and after the implementation of appropriate technical and organizational measures, in accordance with the applicable legislation on the protection of personal data, it investigates it in cooperation with the investigation committee.

If the submitted evidence suggests the commission of a criminal offense that is prosecuted automatically, the RRMR promptly sends a copy of the Report to the competent local Prosecutor and informs the person who made the report.

If the Report contains complaints against the RRMR or members of the Investigation Committee, the RRMR shall register the Report in a special file and forward it to the National Transparency Authority, while also informing the person who made the report.

The members of the investigation committee are the Directors of the following departments: Legal Affairs & Compliance, Human Resources, and Corporate Governance. The RRMR issues an acknowledgment of receipt of the report to the reporter within seven (7) days from the moment of receipt.

During the investigation and evaluation of the report regarding the collection of information and data, the members of the investigation committee may have access to the records of the company, to audiovisual material and to any other appropriate means for the verification of the report.

In any case, the RRMR must inform about the progress of the investigation of the report within a reasonable period of time, which cannot exceed three (3) months from the acknowledgment of receipt of the report, or if no acknowledgment has been sent, three (3) months from the end of the seven (7) business days following the submission of the report.

The members of the investigation committee must look into the reports without any delay and examine the information contained in the reports demonstrating objectivity and impartiality, without prejudice against involved parties and taking all measures necessary for the protection of confidentiality and personal data of those involved unless otherwise provided by applicable law. The members of the investigation committee need to conclude whether the reported case constitutes a law or regulation violation and then to judge the reliability of the information provided. The persons involved in the report are informed by the investigation committee on the nature of the whistleblower’s allegations, when deemed necessary, in order for them to be able to respond to those allegations accordingly.

The members of the investigation committee treat any persons involved in reports with professionalism, dignity and respect. No one is presumed to have been involved in a breach of law or regulation before the relevant report investigation has been completed.

Following the completion of the investigation, the committee will present an investigation report to the Management of the Company for approval. The report will include the Committee’s proposal for the application of measures aiming at the protection of those affected as well as for disciplinary penalties, if appropriate. False reports or reports that turn out to be malicious may constitute a serious disciplinary offense.

The company keeps a record of every report it receives, in accordance with the confidentiality requirements set out in the relevant legal framework. Reports shall be kept for a period not exceeding the required and proportionate period in order to comply with the provision of EU or national law.

f) Prohibition of retaliation

No employee may be retaliated against for making a signed report or for allegedly making an anonymous report or participating in its management.

Anyone found retaliating against an employee who has submitted, may submit, intends to submit, or has assisted, may assist, intends to assist or could assist in an investigation of a submitted report, may be considered to commit a disciplinary offense.

If there is retaliation, individuals who made the report have the right to appeal to the competent court and seek redress.

h) Cooperation with competent authorities and provision of information as needed

All employees must fully cooperate with the company-appointed investigation committee, providing complete and true information but also with any competent public, administrative or judicial authority which, either ex officio or at the request of the person concerned, within its competence, requests the provision of data or information, providing necessary assistance and facilitating access to data. Making false or malicious allegations during the investigation may constitute a disciplinary misconduct. The reporting process should not be misused for reckless accusations or personal complaints.