Internal information protocol

 

PROTOCOL FOR THE IMPLEMENTATION OF THE INTERNAL INFORMATION MANAGEMENT SYSTEM SARTON DOMINICANA SAS

INDEX

1. INTRODUCTION

2. REGULATORY REGIME

3. IMPLEMENTATION REQUIREMENTS

1. 1. Personal scope of application

   2. Material scope of application

   3. Objective scope.

   4. Procedural scope.

   5. Dissemination and information scope.

   6. Responsibility scope.

4. RIGHTS OF THE INFORMANT

5. "NON-RETALIATION" PROTOCOL

6. RIGHTS OF THE DEFENDANT

7. CONFLICT OF INTEREST

8. PROCEDURE OF MANAGEMENT AND PROCESSING OF INFORMATION

9. DESIGNATION OF THE SYSTEM ADMINISTRATOR

10. OBLIGATIONS OF THE GOVERNING BODY

11. RESOLUTIONS TO BE ADOPTED BY THE GOVERNING BODY

1. INTRODUCTION

Internal information management systems, under the name of "whistleblowing channels", is a legal tool designed to encourage and facilitate the filing of complaints-including anonymous ones-, avoiding retaliation for those who file them and facilitating the detection and prevention of illicit acts and infringements within the scope of action of legal persons, extending its protection not only to workers in its strict meaning but also to any person who has become aware of the information through any employment relationship, provision of professional services or pre-contractual relationship.

Throughout this Protocol, the procedure to be followed for the reception, management and resolution of the information submitted will be defined, all within the framework of strict compliance with the obligations set forth in the applicable laws.

1. Purpose of the Information Management System.

 

The purpose of this protocol is to implement an information management system (or, in other words, "whistleblowing channel") and to establish a protocol that regulates a system for the management, reception, processing and resolution of information that could constitute infractions, whether of a criminal or administrative nature, provided for in the Dominican legal system in order to pursue detection and prevention and, where applicable, criminalization of administrative infringements and criminal offences committed within legal persons.

This whistleblowing channel, without prejudice to the considerations set forth in the regulatory provisions to which specific reference will be made, has as its ultimate purpose the achievement of the following objectives:

• To provide this entity with a first-hand source of information, which will serve as an instrument for prevention, early detection and, if necessary, correction of infractions or illicit acts committed.

• To protect persons who, in the context of the entity's own activity, detect serious or very serious criminal or administrative infractions and report them through the channel itself.

• The search for and achievement of an important preventive element through the existence of channels and incentives so that any person who knows of the infraction or illicit act can report it confidentially, resulting in a criminal risk prevention program is strengthened with the option of reporting anonymously through a regulated channel.

• An efficient and effective complement to the compliance policy, since, although the scope of application of the whistleblowing channel goes beyond criminal offenses and also includes administrative infractions, it is a means of information for receiving clearer evidence of the effectiveness (or ineffectiveness) of the existing controls and the adequacy of the risk analysis carried out.

Confidentiality and the prohibition of retaliation are established, allowing anonymous reporting, as fundamental pillars, and the term "whistleblowing channel" is modified to "information management system" - without prejudice to the fact that in this protocol both terms are used indistinctly, in order to establish an agile system for the detection of ad intra fraud.

Once the existence of sufficient indications that could constitute an infraction or criminal offense in the terms required by Law has been verified, it requires the collaboration with the judicial investigation or with the competent authority for its determination and sanction, by virtue of the contribution of data that have been included in the information and that could be verified according to the communication.

The management system also enables interaction with the Informant (Whistleblower), seeking formulas for cases in which the Informant has decided to remain anonymous, designing secure communication mechanisms both for monitoring the status of the investigation and, if appropriate, the provision of new data or additional evidence, or an expansion of the facts initially reported.

The main characteristics of the new regulation, scope, and requirements of the information management system (without prejudice to the specific development of each one of them) are the following:

1. 1. To provide the informants with a preferential channel for reporting actions or omissions that constitute any of the violations or offenses, including anonymously at the informant’s choice.

   2. Avoid retaliation and provide, where appropriate, the necessary support measures,

   3. Compliance with data protection regulations.

   4. Preserve, as far as possible, the identity of the informant and the persons concerned.

Information management systems significantly increase the effectiveness of regulatory compliance programs, becoming an instrument of self-control, both from the point of view ad intra to avoid internal fraud, and ad extra to avoid criminal or administrative liability to legal entities.

In short, it completes, complements, and improves the mechanisms already established by this entity under the Criminal Risk Prevention Plan. This internal information channel was created with the understanding that it provides favorable effects to the Informant and to the company itself.

2. Good Governance Practices in Comparative Law. EU Directive 2019/1937 on the protection of persons who report breaches of EU law.

In the European Union, the obligation for legal entities to have whistleblowing channels arose on April 16, 2019, with the approval by the European Parliament of the so-called "Whistleblowing" Directive. In the Dominican Republic, there are still no specific regulations governing this aspect. However, until a local regulation comes into force, this entity will accept as a good practice the voluntary implementation and for the benefit of the informant in accordance with the local regulation, the EU Directive 2019/1937 on the protection of persons who report breaches of Union law, insofar as it does not violate any local provision or lacerate any human right.

This Directive regulates minimum aspects that must be satisfied by the different channels of information through which a natural person who is aware in an employment context of an infringement of the legal provisions in force can make known the existence thereof.

As far as this entity is concerned, the Directive requires an internal information channel, so that information on irregular practices can be known by the organization itself in order to correct them or repair the damage as soon as possible; this is an expression of the evolution of the legislative policy, the result of models compared at international and European level, regulating anonymous information, and protecting the person reporting it.

Considered as reportable infringements related to public procurement; services, financial products, and money laundering; product and transport safety; environmental, health and consumer protection; protection of privacy; etc.

For the effective implementation of internal whistleblowing channels, the Directive provides that in the cases that apply, these are negotiated with the legal representation of the workers and specifically indicates the scope and content of the procedures and processing of complaints. Namely:

1. Whistleblowing channels should allow the possibility of making complaints both in writing and verbally, as well as by telephone or other voice messaging systems, and also in person if requested by Informant¹.

2. Obligation to acknowledge receipt of the complaint within a maximum period of 7 days;

3. Designation of an impartial person or service, who is competent to deal with the complaints, which may be the same person or service that receives the complaints and who will maintain communication with the whistleblower and, if necessary, will be responsible for requesting additional information and responding to the informant;

4. Prompt handling of all complaints, including anonymous ones;

¹ To do this, the informant must access the link https://canalinternodeinformacion.ikea.com.do

5. A maximum period of 3 months to respond to the informant on the processing of the complaint, counting from the acknowledgement of receipt or, if there was no acknowledgement receipt, from the expiration of the period of seven days from the filing of the complaint.

In this way, it is established that the whistleblowing channels must allow people to report either in writing, or verbally, or both; allowing legal entities in the private sector to receive and investigate complaints from the entity's employees with total confidentiality – including generic mentions of management personnel, directors and shareholders – but also, as far as possible, from any of the agents and suppliers and from any person who accesses the information through their work activities related to the entity.

The Directive is justified by the finding that the Informants "are the most important channel for uncovering fraud offenses committed within organizations; and the main reason why people who become aware of criminal practices in their company or public entity do not proceed to report them is mainly because they do not feel sufficiently protected against possible retaliation from the entity whose offenses they report". This does not preclude the establishment of reactive mechanisms to deal with information based on falsehood or false information.

In short, it seeks to strengthen the protection of the Informant and the exercise of their right to freedom of expression and information recognized in art.49 of the Constitution of the Dominican Republic, and thereby increase its performance in the discovery of illicit or criminal practices.

If the internal complaint is not sufficient, the possibility of an external complaint is contemplated. The Public Prosecutor's Office also regulates the protection systems for Informants against all types of retaliations.

The object and nature of the internal information system, following the principle of the Directive, is to quickly deal with any sign of a serious or very serious criminal or administrative infraction against the general interest, searching the eradication and/or prevention of any fraud, getting ahead exponentially with the knowledge that someone is committing irregularities and has de advantage that it can be stopped as swiftly as possible, avoiding major damages that would exist on a late detection.

The implementation of the management system requires, if there is a prior budget, consultation with the workers' representatives, informing them both of the procedure for receiving, managing, and resolving the information received, as well as of all the guarantees of anonymity and confidentiality of the informant.

2. REGULATORY REGIME

The regulatory regime to which the configuration of this Protocol is subject is mainly limited to the following instruments, without prejudice to any others whose incidental and specific effect may be referred to ¹:

Constitution of the Dominican Republic

Organic Law on Data Protection No. 172-13

LAW NO. 155-17 MONEY LAUNDERING AND THE FINANCING OF TERRORISM

Dominican Criminal Procedure Code

Dominican Penal Code

ISO 19600-2014 standard.

UNE 19601 Standard.

Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of EU law

Law 2/2023, of 20 February 2023, regulating the protection of persons who report regulatory and anti-corruption breaches.

Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

**The normative provisions referred to are so insofar as they address or regulate issues related to the content of this Protocol, even if they are sectoral in nature, serving as guiding criteria in the configuration of the management system.

3. IMPLEMENTATION REQUIREMENTS

For the purpose of defining the subjective, objective, and temporal scope, as well as the different implementation requirements established in the reference regulation, we will proceed to systematize each one of them in their corresponding subsections, without prejudice that some of them may be the object of further and more specific development due to their singular relevance. Thus, the requirements for the establishment of the internal channel are as follows:

1. Personal scope of application

2. Material scope of application

3. Objective scope.

4. Procedural scope.

5. Dissemination and information scope.

6. Responsibility scope.

7. Delimiting scope of the rights and obligations of the informant.

Each of the aforementioned aspects will be analysed from a theoretical perspective specific to the content of the applicable legislation, followed by the specific definition and configuration that will be implemented as a result of this Protocol.

1. PERSONAL SCOPE OF APPLICATION (INFORMANTS).

Protection in the terms and conditions that will be set forth in the section ("Prohibition of retaliation") is predicated, from a subjective point of view, as long as the Informant falls into one of the following categories:

1. Persons who work for this entity and have obtained the information they report in a work or professional context.

2. Employees.

3. Self-employed workers who provide services for this entity.

4. Shareholders, unitholders, and persons belonging to the administrative, management or supervisory body of the entity.

5. Any person working for or under the supervision and direction of contractors, subcontractors, and suppliers of the entity.

6. Employees or statutory personnel with a contract that has already ended, volunteers, interns, workers in training periods and people whose employment relationship with this entity has not yet started, provided that the information reported has been obtained during the selection process or pre-contractual negotiation.

In addition, the scope of protection will be extended to the following subjects related to the informant:

1. 1. Legal representatives in the exercise of their functions.

   2. Individuals assisting the informant.

   3. Natural persons specially related to the informant.

   4. Legal entities, for which the informant works or with which he or she has any other type of relationship.

PERSONAL SCOPE of APPLICATION (LEGAL ENTITY):

As a legal entity in the private sector with a payroll of more than fifty or more workers. We consider it important to proceed with the implementation of this Protocol by configuring the information management system with the requirements and characteristics that will be defined in the following sections.

It is proposed to the Governing Body for the purposes of its approval, that the current Criminal Risk Prevention Committee or Sarton Dominicana Compliance Committee under the Sarton Group Compliance Committee, as such a collegiate body, be instituted as Responsible for the management system.

2. MATERIAL SCOPE OF APPLICATION

The information management system set up by this Protocol will be limited to the reception and processing of information related to actions carried out within, through or for the benefit of this entity, being limited to the following material area, specifically excluding those communications whose purpose does not correspond to those provided herein:

1. 1. Any actions or omissions that may constitute infringements of the law of the Dominican Republic.

   2. Actions or omissions that may constitute a serious criminal or administrative offence.

   3. Information affecting classified information, professional secrecy of medical and legal professionals, the duty of confidentiality of the Security Forces and Corps within the scope of their actions, as well as the secrecy of judicial deliberations are excluded.

   4. Information relating to infringements in the processing of contracting procedures containing classified information or which have been declared secret or reserved, or those whose execution must be accompanied by special security measures in accordance with the legislation in force, or where the protection of essential interests for the security of the State so requires, are excluded.

The procedure for receiving, managing, and resolving information will be defined in the section "procedure for the management and processing of information".

III.PROCEDURAL SCOPE

From a procedural point of view, the internal information management system will ensure compliance with the following:

1. 1. To allow the communication of information in the terms set out in the subjective and objective scope of application.

   2. To guarantee the confidentiality of the identity of the informant and of any third party mentioned in the communication, and of the actions carried out in the management and processing thereof, as well as data protection, preventing access by unauthorized personnel.

1. 3. To allow the submission of written or verbal communications, or both, including through face-to-face communication.

   4. Option to submit anonymous communications.

   5. To ensure that the communications submitted can be dealt with effectively.

   6. To be independent and appear differentiated.

   7. To have a System Administrator.

   8. To have a duly published and accessible policy.

   9. To have a procedure for managing the information received.

   10. To establish guarantees for the protection of Informants.

   11. To report on external channels.

The information management procedure (defined in the section "information management and processing procedure") will be developed on the basis of the following premises:

1. Identification of the internal information channel.

2. Identification of external information channels.

3. Guarantee of the sending of an acknowledgement of receipt of the communication to the informant, within seven calendar days of its receipt, unless this may jeopardize the confidentiality of the communication.

4. Determination of the maximum period to respond to the investigation proceedings, which is set at three (3) months as from the receipt of the communication or, if no acknowledgement of receipt was sent to the informant, at three (3) months as from the expiration of the seven (7) day term after the communication was made, except in cases of special complexity that require an extension of the term, in which case, this may be extended up to an additional three (3) months.

5. Provision for the possibility of maintaining communication with the informant and, if deemed necessary, requesting additional information from the informant.

6. Establishment of the right of the affected person to be informed of the acts or omissions attributed to him/her, and to be heard at any time.

7. Guarantee of confidentiality.

8. Demand respect for the presumption of innocence and the honor of the persons concerned.

9. Compliance with the provisions on the protection of personal data.

10. Immediate forwarding of the information to the Public Prosecutor's Office when the facts could constitute a crime.

    1. DISSEMINATION AND INFORMATION SCOPE

An informative obligation is designated from a twofold aspect, distinguishing the publicity and dissemination that, on the one hand, must be made about the rights of the informant and the management procedure (see section "procedural scope") and, on the other hand, the publicity understood as the communications addressed to the competent authority informing formal aspects such as, for example, the designation of the System Administrator.

In relation to individuals and/or potential informants, the minimum information requirements are established:

1. Provide adequate information in a clear and easily accessible manner on the use of the internal information channel and on the essential principles of the management procedure.

2. The conditions for eligibility for protection.

3. Contact details for external information channels.

4. The confidentiality regime applicable to communications and, in particular, information on the processing of personal data.

5. Remedies and procedures for protection from retaliation; and the availability of confidential advice.

6. The contact details of the competent authority or body concerned.

The information described in the preceding points, as will be indicated, and exhaustively defined in the section relating to the management and processing procedure, will be inserted on the entity's website, in a separate and easily identifiable section.

V. RESPONSIBILITY SCOPE

The responsibility for the implementation of the information management system in the required terms is the Governing Body, the Compliance Committee, and local managers when they are delegated. However, the obligations arising from it are not only predicable with respect to the latter but also with respect to any person who incurs in the infractions described in the normative body: Natural and legal persons who carry out any of the actions described as infractions will be subject to the sanctioning regime established in local legislation.

Therefore, a primary responsibility is predicated with respect to the governing body. Secondly, this responsibility would be transferred to the responsible of the Management System or Compliance Committee, or responsible as delegated or instructed.

4. RIGHTS OF THE INFORMANT

The rights of the informant will be referred to at this point in reference to the impact they have with respect to this entity, that is, from the point of view of the taxpayer who must comply with the obligations imposed by this document:

1. Confidentiality: The entity must guarantee that the identity of the Informant is not revealed to third parties, ensuring that the management system implemented has the personal and technical requirements that protect the Informant, not collecting data that could identify the Informant or any person referred to in his or her communication.

The entity or, as the case may be, the System Administrator, may only communicate the identity of the Informant to the Judicial Authority or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation; always informing the informant beforehand that his or her identity will be revealed, unless this could compromise the investigation or judicial procedure.

2. The entity will publish, for written communications, a form that will optionally allow the informant to indicate an address, e-mail address or safe place to receive the communications made in connection with the investigation or, if applicable, to waive receiving communications. This option will also be provided when verbal communications are made, giving the informant the possibility of designating a means for the reception of communications if he/she wishes.

3. Legal assistance or advice: Inform the informant of the possibility, under his/her choice, of appearing and being assisted, if necessary and if he/she deems it appropriate, by a lawyer.

4. Protection of personal data: The entity must provide information relating to personal data when their personal data is obtained directly from the interested parties.

5. Inform the informant: provided that he/she has informed of his/her wish to receive communications on the status of the processing of his/her complaint and the results of the investigation.

5. Protective measures and non-retaliation protocol:

The entity must ensure that protective measures are taken for the Informants, preventing retaliatory actions from being carried out as a result of the information submitted through the management system and, where appropriate, adopt the appropriate disciplinary measures. The protective measures and the protocol against retaliation will be set out in the section on the "management and processing procedure".

5. Duty to provide information: The entity must provide adequate information in a clear and easily accessible way, on the use of the internal information channel, as well as on the essential principles of the management procedure, information that in this case will be defined in the section "management and processing procedure" and in turn will be published on the company's website, including, in any case, the following:

5. 1. the conditions for eligibility for protection.

   2. contact details for external information channels.

   3. management procedures.

   4. the confidentiality regime applicable to communications.

   5. remedies and procedures for protection against retaliation.

   6. the contact details of the competent authority or body concerned.

5. "NON-RETALIATION" PROTOCOL

The prohibition of retaliation is a right of both the Informant and the persons specially related to him/her (defined in the section "subjective scope of application I") guaranteeing their protection for a minimum period of two years from the submission of the information, with the implementation of this program pursuing the adoption of the pertinent measures aimed at preventing and avoiding any of the conducts that may constitute a case of retaliation by the than those listed in this section, rendering these acts null and void and may give rise, where appropriate, to disciplinary or liability corrective measures, which may include the corresponding compensation for damages to the injured party.

With regard to the prohibition of retaliation, "acts constituting retaliation, including threats of retaliation and attempts at retaliation against persons submitting a communication, are expressly prohibited", retaliation being understood as " any acts or omissions that are prohibited by law, or that, directly or indirectly, involve unfavorable treatment that places the persons who suffer them at a particular disadvantage with respect to another in the employment or professional context, just because of their status as informants, or because they have made a public disclosure".

Specifically, conducts that incur in any of the following situations are prohibited, with the exception of those that, due to accredited or accreditable causes, have been taken for reasons unrelated to the filing of the complaint, which, in any case, must be proven by the person who has taken the prohibited measure:

• Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including the non-renewal or early termination of a temporary employment contract once the probationary period has expired, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotion, and any other substantial modification of working conditions and the failure to convert a temporary employment contract into a permanent one, in the event that the employee had legitimate expectations that he/she would be offered a permanent job.

• Damages, including those of a reputational nature, or economic losses, coercion, intimidation, harassment, or ostracism.

• Negative evaluation or references regarding work or professional performance.

• Inclusion in blacklists or dissemination of information in a specific sectoral area, which hinders or prevents access to employment or the contracting of works or services.

• Denial or cancellation of a license or permit.

• Denial of training.

• Discrimination, or unfavorable or unfair treatment.

• Change of job position, change of work location, salary reduction.

• Downgrading or denial of promotion.

• Denial of training, courses, among others.

• Negative evaluation or references on work results.

• Suspension, dismissal, removal, or equivalent measures.

• Imposition of disciplinary measures, reprimands, or other sanctions, including reductions in rest periods or vacations.

• Intimidation, harassment, discrimination, or unfavorable treatment.

• Physical, moral, or reputational damage, including in social media.

• Anonymous disclosure of information, identifying the whistleblower to suffer hostility in the work environment.

• Defamation process outside the work environment.

• Alleging the existence of the confidentiality clause between the informant and the Organization, in order to sanction the informant for non-compliance.

5. RIGHTS OF THE DEFENDANT

The person who is initially incriminated by the information provided through the management system, as well as those who are investigated at a later stage of the procedure, have a series of rights and protections:

Measures for the protection of the affected persons: During the processing of the file, the persons affected by the communication will have the right to the presumption of innocence, the right of defense and the right of access to the file under the terms regulated in this law, as well as the same protection established for the informants, preserving their identity, and guaranteeing the confidentiality of the facts and data of the procedure.

The information management procedure provided for in this protocol guarantees the following rights to the person in respect of whom the information is submitted (see "management and processing procedure"):

• The confidentiality of the data corresponding to the affected persons and to any third party mentioned in the information provided will be preserved and guaranteed.

• Right of defence.

• Right to the presumption of innocence.

• Right of access to the file, with the necessary limitations to preserve the identity and confidentiality advocated for the third party informant.

• Right to make allegations.

5. CONFLICT OF INTEREST

Regarding the position of the Responsible for the management system or Compliance Committee, it advocates that, in any case, efforts should be made to avoid "possible situations of conflict of interest" when configuring the system.

By virtue thereof, in the event that the facts reported could affect any of the members of the Governing Body, the Criminal Risk Prevention Committee as a collegiate body that will be designated as the Responsible for the information management system (see section " Resolutions of the Governing Body ") or, where appropriate, the natural person to whom it will delegate for the purposes of any incident report, or that in any way may generate a conflict of interest for any of these persons, the affected person must abstain from intervening in the procedure for processing the complaints, as described below.

It will be understood that there is a conflict of interest in those cases in which the particular interests of any of these persons may limit their ability to carry out, with due objectivity, neutrality and impartiality, the processing and investigation of the complaints. This conflict is presumed to exist when the reported facts fall within the responsibilities and executive functions of any of the members of the Governing Body or the Compliance Committee and may also exist when the facts affect any person with whom any of them has a family relationship (up to and including the third degree) or a business interest.

As a consequence of the foregoing, if the informant suspects that the facts could imply a conflict of interest situation with the Compliance Committee, he/she may submit the complaint directly to the person holding the position of Secretary of the Governing Body. In such cases, and provided that the existence of such a situation of conflict of interest is verified, the local Law Firm, as external advisor, will be entrusted with the processing and investigation of the complaint, and the budgetary management controls that may be applicable will not have to be followed for its contracting.

5. PROCEDURE FOR THE MANAGEMENT AND PROCESSING OF INFORMATION

The procedure for the management and processing of information, a procedural scope, developed throughout this protocol and which will be subject to specific publicity, will be governed by the following actions:

5. 1. Reception of information. Information will be received:

1. Through the form inserted in the "Internal Information Channel" tab enabled on the website: www.ikea.com.do/es/legal/canal-interno-informacion

1. Exceptionally, at the request of the informant – a request that must be made through the same channels indicated in the previous points – it will be allowed to make the complaint in person, for which purpose a meeting will be arranged within seven calendar days following the submission of the request.

If the informant chooses to present the complaint in person, it will be documented, at his/her discretion:

1. 1. by recording the conversation in a secure, durable, and accessible format, or

   2. through a complete and accurate transcription of the conversation made by the staff responsible for processing it.

The informant, having opted for any of the options for submitting information, may choose whether to receive communications of the proceedings that occur during the procedure, including the acknowledgement of receipt, by indicating an address, either postal or electronic, or telephone number for the reception of communications, without prejudice to the right of withdrawal at any time during the procedure.

A system will be established whereby the informant, at the time of filing the complaint, is provided with a reporting code or reference. With this code, the informant will be able to access the Channel's website to consult, if he/she deems it necessary, the processing status of his/her complaint and the actions and requests for information that the channel administrator may have required of him/her. From this section, the informant may provide any additional information required, always maintaining the security and anonymity conditions required by law.

In the case of accepting the receipt of communications, acknowledgement of receipt of the information submitted will be sent to him/her within seven calendar days.

5. 2. Information management

The information or complaint submitted and, where appropriate, the supporting documentation that has been attached on the facts denounced, will be processed by the System Administrator, who will be responsible for receiving them, carrying out a preliminary analysis of the facts reported and their suitability for the form provided.

After that, within a maximum period of ten (10) business days from its effective receipt, it will make one of the following decisions:

5. 1. 1. Inadmissibility of the communication, in any of the following cases:

5. 1. 1. 1. When the facts reported lack any credibility.

         2. When the facts reported do not constitute an infringement of the legal system included in the scope of application.

         3. When the communication is manifestly unfounded or there are, in the opinion of the person in charge, reasonable indications of having been obtained through the commission of a crime. In the latter case, in addition to the inadmissibility, a detailed account of the facts deemed to constitute a crime will be sent to the Public Prosecutor's Office.

         4. When the communication does not contain significant new information on infringements in comparison with a previous communication in respect of which the corresponding procedures have been concluded unless there are new factual or legal circumstances that justify a different follow-up.

5. 1. 2. Admit the communication.

5. 1. 3. Immediately forward the information to the Public Prosecutor's Office when the facts could constitute a crime or to the Public Prosecutor's Office in the event that the facts affect the country's financial interests.

5. 1. 4. Send the communication to the authority, entity or body that is considered competent to process it.

After following the above milestones and deadlines, the decision adopted by the person in charge at this stage of the procedure will be communicated to the Informant no later than ten working days (10), unless the communication is anonymous, or the Informant has waived the right to receive communications.

5. 3. Notification to the defendant

Any person who has been the subject of a complaint admitted for processing will be informed about:

1. Receipt of the complaint,

2. A brief statement of facts and documentation, if any, attached.

3. His/her right to submit written allegations within ten (10) calendar days from the receipt of the communication.

4. About the treatment of his/her personal data.

Exceptionally, if the person in charge considers that there is a risk that notifying the person reported could compromise the investigation, such notification may be made during the hearing procedure if it is considered that providing it beforehand could facilitate the concealment, destruction, or alteration of the evidence.

In any case, the period for informing the reported person will not exceed one (1) month from the receipt of the report, either in writing or by personal communication for the purposes described in the preceding paragraph.

5. 4. Investigation of the facts reported.

Once the complaint has been admitted for processing, the person in charge will initiate the appropriate investigations to verify the veracity of the facts reported. To this end, it may request as much information and documentation as it deems necessary to try to clarify the facts reported to as many departments, areas, or persons of the entity as it deems appropriate.

To this end, and whenever they are requested to do so, the entity's personnel will cooperate fully with the investigation work carried out.

In the case of the informant having accepted the communication of the acts issued during the procedure, having indicated a contact address for this purpose, he/she may be requested, if necessary for the investigation of the facts, to clarify or expand the information.

In the event that, due to the nature of the facts, it is considered that the investigation will be complex, the assistance or specialized advice of an external expert may be sought, which will be coordinated with the Criminal Risk Prevention Committee or the Compliance Committee.

5. 5. Termination of proceedings

Once all the proceedings have been completed, the System Administrator will issue a report containing:

5. 1. 1. A statement of the facts reported together with the identification code of the communication and the date of registration.

      2. The classification of the communication for the purpose of determining whether or not it is a priority in its processing.

      3. The proceedings which were carried out in order to verify the credibility of the facts.

5. 1. 4. The conclusions reached in the investigation and the assessment of the proceedings and the evidence supporting them.

Once the report has been issued, the person in charge will take one of the following decisions:

1. Archiving of the file, which will be notified to the informant and, where appropriate, to the person affected.

2. Referral to the Public Prosecutor's Office, although there was initially no indication that the facts could be of the nature of a crime, even if it appeared from the course of the investigation.

3. Transfer of all actions to the competent authority.

4. Adoption of internal legal and disciplinary measures of any kind.

The term for completing the proceedings and responding to the informant, if applicable, may not exceed three (3) months from the entry into the register of the information, or, if an acknowledgement of receipt was not sent to the informant, three (3) months from the expiry of the period of seven (7) days after the communication was made. except in cases of particular complexity that require an extension of the period, in which case, it may be extended up to a maximum of three additional months.

5. 6. Execution

The internal sanction or disciplinary measures agreed in each case will be applied by the person or persons who have been assigned such functions, under sufficient authority.

In the case of labor-related sanctions, the Human Resources department will be in charge. If the sanction is of a commercial nature (contractual termination, etc.) or requires the exercise of legal actions, it will be adopted by the Governing Body and executed by a person with sufficient authority.

5. 7. Receiving information through channels other than the authorized one

In the event that a communication is received, whether it was or could be the material object of the scope of application of the whistleblowing channel, through a channel other than the competent one or by staff members who are not responsible for its processing, the person or persons who received it will immediately forward it to the person in charge of the management system, without disclosing any information that could enable the informant or the person affected to be identified.

5. 8. Identification of external channels

In addition to the internal whistleblowing channel implemented by this entity, other information mechanisms are foreseen, such as the external channel and public disclosure. This external channel is not incompatible with the internal channel implemented by this entity, since although the latter is considered preferential, this does not mean that it excludes the external channel, so that they can be compatible and even use only and exclusively the aforementioned external channel. As an external option, the Prosecutor's Office or competent authority will always be available.

5. 9. Rights of the Informant

The procedure for the management and processing of information will ensure compliance with the rights proclaimed in favor of the informant:

1. Confidentiality of communications issued through the system and of the resolutions that may be issued, guaranteeing anonymity in cases in which the informant decides for this option, preventing access to it by unauthorized personnel; This protection extends to third parties who are mentioned or involved in the investigation.

2. Indicate an address, e-mail address or safe place to receive communications regarding the investigation or Waive, if applicable, the right to receive communications.

3. Appear on his/her own initiative or when required to do so, being assisted, if necessary and if he/she deems it appropriate, by a lawyer.

4. Exercise the rights conferred by the personal data protection legislation.

5. Know the status of the processing of his/her complaint and the results of the investigation.

6. Right to protection: The whistleblower has the right to avail himself/herself of the protection measures dispensed in section 5.10, in addition to any others that may be dispensed by the competent authorities on the external channel.

7. Right to non-retaliation

8. Right of information.

10. Protection against Retaliation

Conducts that incurs in any of the following situations are prohibited, with the exception of those that, due to accredited or accreditable causes, have been taken for reasons unrelated to the filing of the complaint, which, in any case, must be proven by the person who has taken the prohibited measure:

1. • Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including the non-renewal or early termination of a temporary employment contract once the probationary period has expired, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotion, and any other substantial modification of working conditions and the failure to convert a temporary employment contract into a permanent one, in the event that the employee had legitimate expectations that he/she would be offered a permanent job.

   • Damages, including those of a reputational nature, or economic losses, coercion, intimidation, harassment, or ostracism.

   • Negative evaluation or references regarding work or professional performance.

   • Inclusion in blacklists or dissemination of information in a specific sectoral area, which hinders or prevents access to employment or the contracting of works or services.

   • Denial or cancellation of a license or permit.

   • Denial of training.

   • Discrimination, or unfavorable or unfair treatment.

   • Change of job position, change of work location, salary reduction.

   • Downgrading or denial of promotion.

   • Denial of training, courses, among others.

   • Negative evaluation or references on work results.

   • Suspension, dismissal, removal, or equivalent measures.

   • Imposition of disciplinary measures, reprimands, or other sanctions, including reductions in rest periods or vacations.

   • Intimidation, harassment, discrimination, or unfavorable treatment.

   • Physical, moral, or reputational damage, including in social media.

   • Anonymous disclosure of information, identifying the whistleblower to suffer hostility in the work environment.

   • Defamation process outside the work environment.

   • Alleging the existence of the confidentiality clause between the informant and the Organization, in order to sanction the informant for non-compliance.

10. Rights of the Defendant

The information management procedure guarantees the following rights to the person in respect of whom the information is submitted:

1. • The confidentiality of the data corresponding to the affected persons and to any third party mentioned in the information provided will be preserved and guaranteed.

   • Right of defence.

   • Right to the presumption of innocence.

   • Right of access to the file, with the necessary limitations to preserve the identity and confidentiality advocated for the third party informant.

   • Right to make allegations.

 

Legal notice: We inform you that the data you provide us by email will be incorporated into a file under the responsibility of SARTON DOMINICANA S.A., and will be treated based on compliance with a legal obligation, in order to process and resolve the information received in accordance with the established procedure.

Your data may be accessible to external technology service providers, such as web hosting, computer maintenance and other similar services linked to SARTON DOMINICANA SAS.

The data obtained through this channel will be kept for the time required to resolve the processing of the complaint. In any case, at any time, you may revoke the consent granted and exercise your rights of access, rectification, cancellation, opposition, revocation, limitation, portability and opposition to automated decisions, by sending an email to the following address lopd@ikeasi.com.

If you want to obtain more information, please visit the Legal Notice and Privacy Policy of SARTON DOMINICANA SAS in the link, and on the website of the corresponding store, accessing the legal part: ikea.com.do/es/legal/proteccion-de-datos

5. 8. DESIGNATION OF THE PERSON IN CHARGE OF THE SYSTEM (SYSTEM ADMINISTRATOR)

Following the explanation set out in the "scope of responsibility" section, the designation by the Governing Body of a natural person (manager) or collegiate body (which must also delegate one of its members) as the person in charge of the management system, who must carry out his or her functions in a totally independent and autonomous manner.

Responsible for the Internal Information System.

1. The governing body of each entity or organization bound by this law will be competent to designate the natural person responsible for the management of such system or "System Administrator", and for his or her removal or dismissal.

2. If the System administrator is a collegiate body, it must delegate to one of its members the authority to manage the internal information system and to process investigation files.

3. If applicable or provided for by law, both the appointment and dismissal of the individually designated natural person, as well as of the members of the collegiate body, must be notified to the competent authority, within the scope of their respective competences, within the following ten working days, specifying, in the case of their dismissal, the reasons that have justified it.

4. The System Administrator must perform his/her functions independently and autonomously with respect to the rest of the bodies of the entity or body, may not receive instructions of any kind in the exercise thereof, and must have all the personal and material resources necessary to carry them out.

5. In the case of the private sector, the system administrator, or the entity to which the responsible collegiate body has delegated its functions, will be an executive of the entity, who shall exercise his or her position independently of the entity's administrative or governing body. When the nature or dimension of the entity's activities do not justify or permit the existence of an administrator responsible for the system, it will be possible to ordinarily perform the functions of the post or position with those of the person responsible for the system, trying in all cases to avoid possible situations of conflict of interest.

6. In entities or bodies in which there is already a person responsible for the function of regulatory compliance or integrity policies, whatever their name, this may be the person designated as the System Administrator, provided that they meet the requirements established in this law.

This entity, as referred to in the section " Obligations of the Governing Body ", as well as in "Adoption of Agreements Proposal ", must designate the natural person or collegiate body in charge of the management of the system and its subsequent communication to the competent authority.

In this case, it is considered appropriate that the management of the channel be delegated to the Criminal Risk Prevention Committee, a committee which, on the other hand, already managed and reviewed the prevention plan's own complaints channel, a channel that will be adapted for the implementation of this protocol.

By virtue thereof, the proposal to be made to the Governing Body ("Adoption of Agreements Proposal") for the purposes of adopting the decision provided for in this section is that the Criminal Risk Prevention Committee assumes the duties of the Administrator, without prejudice to the Governing Body itself adopting the relevant decision regarding the natural person who assumes the management and processing among the members of the Committee.

This designation must be communicated to the competent authority, which, although it has not yet been constituted, the communication made to similar bodies will be deemed valid, if applicable, until such time as it is constituted.

5. 8. OBLIGATIONS OF THE GOVERNING BODY

The obligations imposed by the Law on the Governing Body, taking into account that they will be proposed in the following section to the Governing Body for its final approval and consequent implementation, are the following:

1. The implementation of the management system: "The governing body of each entity or organization bound by this law will be responsible for the implementation of the Internal Information System").

2. To submit the management system to prior information to the workers' representatives if applicable: "prior consultation with the workers' legal representatives.

3. Designation of the System Administrator: " The Governing Body of each entity or organization bound by this law will be competent for the designation of the natural person responsible for the management of said system or "System administrator", and for his/her removal or dismissal") and communication of this appointment to the competent Authority, if applicable.

4. To approve the information management system: "The governing body of each entity or organization bound by this law will approve the information management procedure."

5. To publish information regarding the use and operation of the information management system: The subjects within the scope of application of this law will provide adequate information in a clear and easily accessible form, on the use of any internal information channel they have implemented, as well as on the essential principles of the management procedure. In the case of a website, such information will be included on the home page, in a separate and easily identifiable section").

6. To keep a record book of information received and internal investigations: All parties obliged, in accordance with the provisions of this law, to have an internal information channel, regardless of whether they are part of the public or private sector, will keep a record book of the information received and the internal investigations to which they have given rise, guaranteeing, in any case, the confidentiality requirements").

7. To provide the information established in the personal data protection regulations: "When their personal data is obtained directly from the interested parties, they will be provided with prior consent and in accordance with local legislation.

8. To review the protocol and operation of the information management system.

At least once every three years, this protocol should be evaluated. The requirements referred to herein are reflected and developed in the section "management and processing procedure", which will be submitted to the administrative body for approval and subsequent implementation, definitively considering that the requirements have been met; This is with the exception of prior consultation with the workers' representatives, which will not be published but will also be submitted to the Governing Body for its approval.

11. ADOPTION OF RESOLUTIONS: RESOLUTIONS TO BE ADOPTED BY THE GOVERNING BODY.

By virtue of the content of this Protocol and, in particular, of the provisions contained in the section "OBLIGATIONS OF THE GOVERNING BODY", it is deemed appropriate to submit this Protocol to the Governing Body for final approval, as well as the following proposal for Resolutions:

11. 1. The implementation of the management system.

    2. The approval of the information management system in the terms defined in the section "management and processing procedure.

    3. Designation of the system administrator

    4. Publish information related to the use and operation of the information management system.

In conclusion, it is relevant and required that the Governing Body issues a statement on the above points, pronouncing itself on the implementation of the management system under the terms, procedure and conditions defined in this Protocol, agreeing to its publication and the designation of a system administrator.

Form:

Canalinternodeinformacion.ikea.com.do