The purpose of this document is to regulate the procedure that will be applied to communications received through the Iberostar Group's internal information channels, within the scope of application of the General Policy of the Iberostar Group's Internal Information and Defense System (“SII General Policy”).

The drafting of this Information Management Procedure was approved, together with the General Policy of the SII, by the management body of the parent company of the Iberostar Group in June 2023.

The SII is the preferred channel for reporting the actions and omissions indicated in the SII General Policy, provided that the violation can be effectively treated and if the complainant believes that there is no risk of retaliation.

In every procedure and investigation, the rights to privacy, to defense and to the presumption of innocence of the persons under investigation shall be guaranteed.

The procedure will be transparent and the right to information will be guaranteed for those involved, who must necessarily know:

Access to data received through the Internal Information System is limited to the people indicated in the Privacy Policy of the Iberostar Group's Internal Information System.

The confidentiality of the processing of the files will be guaranteed, as well as the identity of the persons involved, which cannot be communicated or revealed without their consent.

Of all the investigative actions, and in particular of the interviews and explanations given by the people related to the fact reported, a written record will be drawn up at the same meeting, which will be duly signed by the person to whom the investigation has been entrusted, offering the interviewee the opportunity to verify, rectify and accept by signing the transcript of the conversation.

Any informant may make use of the following internal information channels:

Complaints may be made in accordance with the principle of anonymity indicated in SIS, with the exceptions provided for in the whistleblower protection section. In particular, the submission of anonymous communications linked to interpersonal conflicts or affecting only the informant and the people to whom the communication refers is not allowed, in order to guarantee the rights of defense of third parties affected by the complaint.

Should an Iberostar Group Collaborator not responsible for the processing of the information receive a communication regarding the commission of an offence, the latter must immediately redirect it to the System Manager through the indicated email address, maintaining the confidentiality of the communication and/or anonymity of the informant. The breach of confidentiality is classified as a very serious violation in Law 2/2023.

In any case, the complaint must be made in good faith and include the following information:

Once the communication has been received, the SII Manager will send an acknowledgment of receipt of the complaint to the informant within a maximum period of seven (7) calendar days, in which an entry number assigned to said complaint will be communicated along with the date of receipt.

Within a period not exceeding seven (7) calendar days from the receipt sent by the SII Manager, it will be determined whether or not to process the complaint, taking special account of the following criteria:

If there are any circumstances related to a communication that may involve a conflict of interest for the Managers of the SII, or one of them, or that in any way affects or may affect their neutrality or independence, before deciding to admit it to the procedure and, in any case, no later than five (5) calendar days following the date of receipt of the complaint, you must refrain from taking any decision and immediately bring it to the attention of the other members of the System Manager or, when they are in it, situation, of the Risk Committee. In this case, it will be up to the Risk Committee, excluding members who may also have a conflict of interest in their case, to decide within the indicated deadlines on the admission to processing of the said complaint, as well as on the appointment of a person for the subsequent processing of the file who meets the appropriate requirements of neutrality and independence.

The complainant must be reasonably informed of the final decision not to admit a complaint, using secure means that guarantee the receipt of the information by the informant.

If the complainant provides data from a third party other than the complainant (for example, witnesses), the third party must also be informed of the processing of their data and their origin, in accordance with the provisions of the SII Privacy Policy.

In addition to all of the above, when the facts reported by the informant could be indicatively constituting a crime, at the discretion of the Information System Manager, the latter shall immediately send the facts reported to the Public Prosecutor's Office. In the event that the facts affect the financial interests of the European Union, it will be referred to the European Public Prosecutor's Office.

4. Instruction

Once the complaint has been processed, the person delegated by the Head of the SII must:

Any person involved in the investigation will be asked to sign a confidentiality agreement or, where appropriate, to commission data processing, prior to the support provided.

There is no standard procedure for conducting research, which will depend on your particular circumstances. However, a precautionary principle will be applied, in order to avoid the risk of prolonging possible regulatory breaches, destruction of evidence, litigation, reputation, loss of assets, etc.

It will be guaranteed that the person affected by the facts reported is aware of it once the complaint has been admitted for processing, as well as of the facts reported succinctly. In addition, you will be informed of your right to submit written allegations and of the processing of your personal data. However, this information may be delayed if it is considered that its previous provision could facilitate the concealment, destruction or alteration of evidence. In any case, this period will never exceed thirty (30) calendar days from the admission to processing of the complaint.

Under no circumstances will the affected subjects be informed of the identity of the informant nor will they be given access to the communication. During the investigation, news of the communication with a brief list of facts will be given to the person under investigation. This information may be provided during the hearing process if it is considered that your previous contribution could facilitate the concealment, destruction or alteration of the evidence.

The hearing procedure, which will take place within thirty (30) days following the admission of the complaint (unless due to the concurrence of justified causes, based on the complexity or the number of steps to be taken, they advise the extension of the deadline by the time strictly necessary), will include in any case and without prejudice to the possibility of submitting written allegations, a private interview with the person reported or supposedly responsible for the irregularity in which, while respecting the guarantee of presumption of innocence, you will be informed of the facts that are the subject of the file, you will be invited to present your full version of the facts, you will be able to provide the relevant evidence and you will be asked the appropriate questions depending on the circumstances of the case and the facts reported. In addition, all affected parties will be informed about the processing of their personal data, as well as to comply with any other duty required by the legislation on the protection of personal data.

If the complainant is a member of the Works Council or staff delegate or is a union delegate, he will be consulted about granting a hearing procedure to the remaining members of the Works Council, staff delegates or union delegates, if any. In any case, the provisions of the applicable regulations on the subject will be complied with.

Once the investigation of the file has been completed and within a maximum period of thirty days, the person responsible for the processing will submit it together with a proposal for a resolution to the Head of the SII to resolve what they deem appropriate.

The maximum period for responding to investigative actions may not exceed three months from the receipt of the communication or, if an acknowledgment of receipt was not sent to the informant, three months from the expiration of the period of seven days after the communication was made. In cases of special complexity that require an extension of the deadline, it may be extended up to a maximum of another three additional months.

In the event that the resolution issued concludes that an Iberostar Group Collaborator has committed an irregularity, said resolution will be transmitted to the Human Resources Department for the application of appropriate disciplinary measures and, where appropriate, to the competent authorities for the purpose of initiating appropriate administrative or judicial proceedings.

In addition, in this case, the Risk Committee will be sent to the Risk Committee, which will draw up a list with the recommendations it deems appropriate for the improvement of the Iberostar Group's Code of Ethics and the Iberostar Group's Crime Prevention System.

The following includes clear and accessible information on the main external channels of information before the competent authorities and, where appropriate, before the institutions, bodies, bodies or agencies of the European Union.

Any natural person may report to the AAI. Independent Authority for the Protection of Whistleblowers or before the corresponding authorities or autonomous bodies for any actions and omissions provided for in Law 2/2023.

The violation of any of the rules, procedures, policies, instructions, orders or mandates of the Iberostar Group within the scope of its Code of Ethics of the Iberostar Group, of its PPD. Crime Prevention Program or its SII by any Collaborator to which they apply, will involve a violation. In this case, the Iberostar Group Disciplinary Regime Protocol will apply.

Offences and, where appropriate, sanctions, shall be determined in accordance with applicable regulations and the Sanctioning Protocol of the Iberostar Group's Crime Prevention Program.

These sanctions are of a disciplinary nature and are contemplated independently of the sanctions provided for in the applicable labor regulations, as well as the possible civil and criminal actions that may occur, so the Board of Directors, through the Management Representative, reserves the power to report the person who violates the regulations to the competent authorities and/or to take appropriate legal action before the courts of justice.

Compliance with the provisions on the protection of personal data is guaranteed in accordance with the provisions of the SII Privacy Policy, which you can consult here. For any questions related to the privacy policy, you can contact the Data Protection Officer at the email address: privacy.dpd@grupoiberostar.com.

In cases where personal data is communicated between the offices and hotels of the Iberostar Group located outside the territory of the European Union or in those states that the European Commission has considered to have a level of protection comparable to that of the RGPD, the provisions of the legislation of the country of origin regarding international data transfers must be complied with.