Privacy Policy

WHISTLEBLOWING POLICY

This policy defines the internal whistleblowing procedure implemented within the Umedia Group in order to encourage and facilitate the reporting of abuse in complete confidentiality and without fear of retaliation, and forms part of the policy by which the Umedia Group strives to establish a corporate culture characterized by trust, responsibility, and compliance with regulatory provisions.

The procedure set out below has been established in accordance with Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (hereinafter the "Directive") and its transposition into Belgian law transposed into the law of 28 November 2022 on the protection of persons who report breaches of Union law or national law found within a legal entity in the private sector (hereinafter the "Law").

01 — Who can file a report?

This procedure is intended for any person who reports information on breaches obtained in a professional context with an entity of the Umedia Group (hereinafter the "Whistleblower").

The notion of "professional context" is understood in the broadest sense and includes in particular employees (full-time or part-time, permanent or temporary), self-employed workers, temporary staff and consultants, shareholders, directors and managers, as well as service providers supplying services to the Umedia Group on a recurring basis.

The notion of "professional context" also encompasses a professional context that is in progress, has been completed or has not yet begun (in the case of information on violations obtained during the recruitment procedure or other pre-contractual negotiations).

Groupe Umedia" includes Umedia SA, uFund SA, Umedia Production SA, Umedia Production Services SRL, Umedia Visual Effects SA, UFX Wallonie SRL and UFX Flanders SRL.

02 — What can you report?

This procedure is designed to allow the reporting of breaches:

• within the scope of the Directive and/or Law relating to the following areas: (i) public procurement, (ii) financial services, products and markets and the prevention of money laundering and terrorist financing, (iii) product safety and compliance, (iv) transport safety, (v) protection of the environment, (vi) radiation protection and nuclear safety, (vii) food and feed safety, animal health and welfare, (viii) public health, (ix) consumer protection, (x) protection of privacy and personal data and security of networks and information systems, (xi) tax fraud and (xii) social fraud;
• affecting the financial interests of the Union;
• relating to the internal market, including breaches of Union competition and State aid rules;

including reasonable suspicion of actual or potential breaches listed above that have occurred or are very likely to occur, as well as attempts to conceal such breaches.

However, this procedure is not intended to :

• raise personal concerns or grievances related to work, including pay, working conditions, interpersonal issues, psychosocial risks (including but not limited to harassment, violence, etc.) or performance reviews;
• question the Umedia Group's commercial approach.

03 — What protection does a whistleblower have?

No (threats of) retaliatory measures (dismissal or suspension, non-renewal or early termination of a temporary contract, demotion or refusal of promotion, modification of working conditions, suspension of training, negative evaluation, disciplinary measures, harassment, unfair treatment, etc.) will be taken against Whistleblowers who have reported in good faith, i.e. who had reasonable grounds to believe that the information reported was true at the time of reporting and that it fell within the scope of this policy. The fact that, after examination of the alleged breach, the report proves to be unfounded is not, in itself, sufficient to conclude that the Whistleblower acted in bad faith.

On the other hand, if the investigation reveals that false or misleading information was deliberately and knowingly communicated, the Whistleblower will not be entitled to protection and may be subject to sanctions.

04 — How do I report a problem?

The Whistleblower can choose between the following two procedures for reporting:

• Internal reporting according to the procedure described in this policy (cfr. 5 below);
• External reporting to the Federal Ombudsman (https://www.federaalombudsman.be/en/complaintform
or the competent authority responsible for overseeing legislation (depending on the case, the Financial Services and Markets Authority (FSMA) ( https://www.fsma.be/en/faq/whistleblowers-point-contact), the Data Protection Authority (Autorité de Protection des Données (APD)) (https://www.autoriteprotectiondonnees.be/citoyen/agir/introduire-une-plainte ), etc)[1] ;

The Umedia Group encourages all Whistleblowers to first report a breach internally before going to the authorities.

External reporting is recommended when (i) it is impossible to remedy the breach effectively through the internal procedure (internal procedure not available or not functioning properly) or (ii) an initial internal report has not been followed up appropriately or (iii) the Whistleblower has well-founded reasons to believe that he or she will suffer retaliation under the internal procedure or that the authority is better placed to take effective action.

05 — Internal reporting procedure

The Umedia Group provides a whistleblower platform via the link https://whistleblowersoftware.com/secure/Umedia_lanceur_alerte which enables Whistleblowers to make a confidential and/or anonymous, written or oral report.

When a report is made on a confidential basis, the identity of the Whistleblower is known only to those persons authorized to receive and process the report on a confidential basis (the "Case Managers") and may not be disclosed to other persons (and in particular to the persons targeted by the report) without the Whistleblower's express consent. This also applies to any other information from which identity can be (in)directly deduced. This obligation of confidentiality can only be lifted in very strict cases, governed by the law, namely (i) when the Whistleblower expressly consents or (ii) when required by law in the event of an investigation by national authorities or legal proceedings (in particular to protect the rights of defence of the person concerned).

If the Whistleblower prefers not to reveal his or her identity to anyone in the process, he or she can choose to report anonymously.

It is always advisable to choose the confidential reporting option, as it offers the best possible handling of cases and provides the best possible protection for the Whistleblower.

The only persons authorized to receive and process the report in accordance with the procedure described below are the HR Manager (Alexandra List) and the Head of Legal (Mélanie Paron). In order to avoid potential conflicts of interest, the Whistleblower may choose not to include either of these Managers among the recipients of the report.

Report content

The Whistleblower may choose to remain anonymous, but must provide sufficient information to enable the Case Managers to examine the case properly.

To this end, the report must include the following information:

• Detailed description of the incident, including (i) the nature of the incident (what happened), the date or period during which the incident occurred (when) and the place where the incident occurred (where);
• Role or involvement of the whistleblower in the incident (witness, victim, perpetrator)
• Persons involved (name, function) ;
• Any useful evidence or documents related to the report.

Once the report has been sent, a password is generated. It is important for the Whistleblower to save his/her password, as this is the only way to track the status of his/her report and to communicate with and receive feedback from the Case Manager.

Processing the report

On receipt of the report, the Case Managers will check whether the report falls within the scope of the present "Whistleblowers" policy and requires an investigation of the alleged facts.

The Whistleblower will receive an acknowledgement of receipt within 7 days.

When the report falls within the scope of this policy, the designated Case Manager is responsible for following up the report and maintaining communication with the Whistleblower.

The Case Manager will, impartially, independently and with the utmost discretion, conduct a thorough review of the report to verify the accuracy of the allegations made and, if so, assess the measures to be taken to put an end to the violation and/or minimize the risk of further violations and damage to the Umedia Group's reputation.

If he or she deems it necessary, the Case Manager may, as part of the review of the alert :

• Call in the CEOs or any competent external person (e.g. lawyer) to assist in examining the report;
• Request additional information from the Whistleblower ;
• Contact the persons mentioned in the report or identified during the investigation, it being up to the Case Manager to assess whether contacting these persons is likely to prejudice the investigation;
it being understood that the confidentiality of the report will always be taken into account. If interviewing a person concerned by the report risks compromising the confidentiality of the alert, the Whistleblower will be contacted first.

The Whistleblower has the right to be kept informed of the progress of the investigation, but not of the full content of the investigation, so as not to impede the progress of the investigation.
In any event, the Case Manager will inform the Whistleblower of the results of the investigation no later than 3 months from the date of acknowledgement of receipt (where applicable, after the person concerned by the report has been heard and/or a decision has been taken if the report proves to be well-founded).

Report register

Case Managers are required to keep a register of all reports received and the action taken on these reports.
This register (held via the platform) complies with confidentiality requirements. The identity of Whistle-blowers and persons concerned by reports is anonymized. It contains no data that would enable the identity of the persons involved to be deduced. It specifies only the action taken on reports and the reasons for these decisions.

This register is accessible only to file managers, CEOs and the Board of Directors.

06 — How are personal data processed in this procedure?

The processing of reports under this procedure involves the processing of personal data. This processing is carried out in accordance with the applicable legislation on the protection of personal data and in particular the General Data Protection Regulation ("GDPR"). Umedia SA is responsible for the processing of such personal data for the purpose of this procedure.

The legal basis for processing personal data under this procedure is, as the case may be, the Umedia Group's legitimate interest or legal obligation to provide adequate internal procedures for reporting actual or potential breaches under the Directive and the Law.

Personal data exchanged as part of this procedure will not be kept longer than is necessary for the investigation and management of the report.

Both the Whistleblower and the person concerned by the report have the right to access their personal data and request its correction, deletion or restricted processing within the legal limits.



1/ The full list of competent authorities for external reporting can be found in the Royal Decree of January 22, 2023 designating the competent authorities for the implementation of the law of November 28, 2022 on the protection of persons who report breaches of Union or national law found within a legal entity in the private sector (https://www.ejustice.just.fgov.be/cgi/article_body.pl?language=fr&pub_date=2023-01-31&caller=summary&numac=2023040158 ).

Individuals whose data is processed under this procedure also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de Protection des Données (APD)).