The BME Group's Internal Information System (hereinafter "BME´s Information System") is the channel for reporting irregular or potentially inappropriate conduct, actions or omissions that could constitute breaches or from which there may be indications of non-compliance with applicable legislation and the internal regulations established by the SIX-BME Group, as well as any form of discrimination or harassment in the workplace (hereinafter "conduct and non-compliance").

BME's Information System shall be applicable to employees, as well as to clients, suppliers and other interested parties who have a relationship with BME or any of its Group companies, who detect conduct and non-compliance in an employment or professional context and report them through the channels provided in BME's Information System (hereinafter "reporting persons").

Internal reporting channels and means of communication

The internal communication channels will be, in accordance with the regulations in force, the preferred means of information. BME´s Information System integrates the following reporting channels:

• Whistleblowing channel for reporting irregular or potentially inappropriate conduct, actions or omissions that could constitute breaches or from which there may be indications of non-compliance with applicable legislation and the internal regulations established by the SIX-BME Group

• Channel enabled to report conduct that may constitute any form of discrimination or labor or sexual harassment, in the workplace.

The reporting/complaining through the above channels could be done:

• In writing through the following means:

• E-mail to Compliance Spain: canaldedenuncias@grupobme.es

• Communication through BME Integrity Line tool available at: https://bme.integrityplatform.org/, to which only Compliance Spain personnel have access.

  The tool provides the option of communicating and processing information anonymously.

• By means of a physical meeting with Compliance Spain at the request of the reporting person, within a maximum period of seven (7) calendar days from the communication.

Essential principles of the management procedures:

Internal procedures for managing the information received through the reporting channels integrated in the BME´s Information System are based on the following principles:

• Confidenciality

  BME ´s Information System is designed and managed in such a way as to guarantee the confidentiality of the information reported, the identity of the reporting person, of any third party mentioned in the communication, as well as of the actions carried out in the management and processing of the same.

• Information on personal data protection

  The protection of personal data will be guaranteed, preventing access to them by unauthorized personnel.

  Information on personal data protection can be found at the following link.

• Prohibition of retaliation

  Persons reporting or disclosing information within the scope of the BME Information System, through any of the channels made available to them, shall be entitled to protection provided that they act in good faith and have reasonable grounds to believe that the information is true at the time of communication, even if they do not provide conclusive evidence.

  Acts constituting retaliation, including threats of retaliation and attempted retaliation against persons who report information under the BME Information System are expressly prohibited.

• Protection of persons concerned

  The persons concerned by the communication shall have the right to the presumption of innocence, the right of defense and the right of access to the file. They shall be equally entitled to the same protection established for reporting persons, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

External reporting channels

The commission of any actions or omissions that may constitute a violation of the above may be reported through the external information channel of the competent authority: Autoridad Independiente de Protección del Informante (A.A.I.) or through the corresponding regional competent authorities:

1. Breaches of European Union law provided that they fall within the scope of the acts listed in the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, when they affect the financial interests of the EU and have an impact on the internal market, as referred to in Article 325 and 26.2 of the Treaty on the Functioning of the European Union.

2. Serious or very serious criminal or administrative breaches of the Spanish legal system.

Breaches falling within the scope of Directive (EU) 2019/1937 of 23 October 2019 may also be reported to the relevant institutions, bodies, offices or agencies of the European Union when they affect the interests of the European Union.

Information on personal data protection

Who is the Data Controller?

The data controller of the personal data included in any information communicated through BME’s Information System is Bolsas y Mercados Españoles, Sociedad Holding de Mercados y Sistemas Financieros, S.A.U. ("BME Holding"), with tax identification code A-83246314 and registered office at Plaza de la Lealtad 1, 28014 Madrid.

What is the purpose and legal basis for processing of personal data?

Personal data will be processed by BME for the following purposes:

• Analyze and manage the complaint internally.

• Maintain contact with the reporting person, denounced/concerned party or third party relevant to the procedure.

• Conduct, if appropriate, the corresponding investigation into the complaint filed.

• Eventual referral to the competent authorities.

The processing of personal data by BME may be carried out:

• In cases of internal communication, based on a legal obligation as provided in 6.1.c) of the General Data Protection Regulation (hereinafter, "GDPR") when it is mandatory to have an internal reporting system as established by Spanish Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and anti-corruption.

• In the case of a public disclosure, on the performance of a task carried out in the public interest as indicated in art. 6.1.e) of the GDPR.

• In the case of the processing of special categories of personal data for reasons of substantial public interest, it may be carried out in accordance with the provisions of Article 9.2.g) of the GDPR.

What personal data is collected and processed?

The following personal data may be processed:

• From the reporting person (if the report is not anonymous): full name, e-mail, address, cell phone number or any other data included in the description of the communication.

• From the concerned/accused person: the data indicated by the complainant in the description of the communication and those that may be ascertained during the investigation.

• From the witness or other third parties: data ascertained from third parties indicated in the communication by the reporting person or relevant to the investigation being carried out which may provide significant information.

Who has access to personal data?

Access to the personal data contained in BME's Information System shall be limited exclusively to the Responsible for BME's Information System and the persons who perform internal control and compliance functions in the Compliance Department and, when necessary, to the Criminal Prevention Committee. Exceptionally, such access may be granted to:

• The Head of Human Resources when it is appropriate to take disciplinary measures against an employee.

• The Head of Legal Counsel when: (1) it is necessary to take legal measures; or (2) the communication refers to the Responsible for BME's Information System or any a member/s of the Compliance Department and they have to inhibit themselves.

• The Data Processors to be appointed.

• BME's Audit and Risk Committee when is necessary.

• The Data Protection Delegate.

Likewise, the processing of personal data by other persons shall be lawful when necessary for the adoption of corrective measures in BME or the processing of disciplinary or criminal proceedings, if any.

BME relies on the services of EQS Group AG, which provides the Integrity Line platform and offers guarantees regarding independence, confidentiality, data protection and secrecy of communications. In general, only third parties who provide adequate guarantees may have access to the management of the information received through BME Information System.

The identity of the reporting person, if identified, may only be communicated to the Judicial Authority, the Public Prosecutor's Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation. The person to whom the facts reported in the information communicated refer shall in no case be informed of the identity of the reporting person.

What technical and organizational measures are used?

BME will ensure that all necessary technical and organizational measures are taken to preserve the identity and guarantee the maximum confidentiality of the data corresponding to the persons concerned and any third parties mentioned in the information provided.

Persons who, in the performance of their duties, become aware of information submitted through any of the channels, shall be bound to maintain professional secrecy, especially with regard to the identity of the reporting persons.

Both EQS Group AG and the software developed for EQS Integrity Line are certified according to the ISO 27001 information security standard. The platform ensures full compliance with the GDPR and guarantees the anonymity of the reporting person so that his or her identity cannot be traced by technical means.

What is the personal data retention period?

The personal data of the reporting person, persons concerned and third parties mentioned in the communication will be stored only for the time necessary to decide whether to initiate an investigation of the denounced or reported facts. If it is evidenced that the information provided or part of it is not true, the data must be deleted immediately. If the lack of truthfulness could constitute a criminal offense, the information will be kept for the necessary time during the legal proceedings.

After three months have elapsed from the receipt of the communication without any investigation actions having been initiated, the data shall be deleted, unless their retention serves to provide evidence of the operation of BME's Internal Information System. Communications that have not been acted upon may only be recorded in anonymized form, without the obligation to block being applicable.

How can I exercise my rights?

The reporting persons, concerned or accused persons, witnesses and other third parties whose personal data are processed will be referred to as "Data Subjects" for the purpose of exercising their rights.

The Data Subjects may exercise their rights of access, rectification, deletion, portability and limitation of processing, as well as contact the Data Protection Officer through the following address:

• BME Group Data Protection Officer: protecciondedatos@grupobme.es
  Plaza de la Lealtad, 1, 28014 Madrid
  
  

Data Subjects may also file a complaint with the Spanish Data Protection Agency (www.aepd.es).

Notwithstanding the foregoing, the characteristics of the investigation process may modify the scope of the exercise of any of these rights:

• None of the Data Subjects whose personal data are processed during this research may exercise the right of cancellation.

• The right of access to the information included in BME’s Information System will be limited to information related to the personal data of the Data Subject requesting it (third party data cannot be accessed).

• None of the Data Subjects to whom the facts related in the communication refer to may object to being investigated. In the event that any Data Subject to whom the facts reported in the communication refer exercises the right to object, it will be presumed that, unless there is evidence to the contrary, there are legitimate reasons for processing his or her personal data.