Code of Ethics

Information Management Procedure This document sets out in detail the procedure for the Suarez Ethics Channel to comply with the requirements established in Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption.

1. IDENTIFICATION OF SUAREZ INTERNAL INFORMATION CHANNELS

Communications may be submitted in writing or verbally, or both, through the following channels: Access the online form (preferred). Postal or in-person channel: Gran Vía 40 bis, 3º 48009 Bilbao (Vizcaya) Spain. Email: comitedeetica@gruposuarez.com Face-to-face meeting, at the request of the informant at the agreed address, within a maximum period of seven (7) calendar days from the request.

2. WHAT IS THE SUAREZ ETHICAL CHANNEL?

This is a confidential communication channel available to all people who are part of Suarez, as well as to people, both natural and legal, who have any type of relationship with the people who make up Suarez (employees, suppliers, franchisees, etc.). Suarez is committed to transparency, ethical culture and regulatory compliance in all its angles, so any communication related to regulatory non-compliance of any kind, unethical behavior such as bad labor, financial, accounting, commercial practices, in order to be able to take all the necessary measures tending to correct said attitudes and achieve our objective of full ethical and regulatory compliance as an organization.


Communication will be made through the form created for this purpose, which is located on the home page of this website. We guarantee anonymity if the informant so desires, complete confidentiality of the communication, and protection of the informant, thus avoiding any type of retaliation.
This communication channel may also be used to address any questions that may arise regarding the application of the company's internal rules and procedures.

3. EXTERNAL CHANNELS OF INFORMATION TO THE COMPETENT AUTHORITIES AND, WHERE APPROPRIATE, TO THE INSTITUTIONS, BODIES OR ORGANISMS OF THE EUROPEAN UNION.

If any informant so wishes, they may report to the Independent Authority for the Protection of Informants (AAI) any breach or omission of the principles and guarantees established in this document, which are supported by compliance with Law 2/2023.
Likewise, the informant may turn to the competent authorities for advice, support, or processing of their communication, receiving the same guarantees as those provided through the Ethics Channel.

4. PROCEDURE FOR MANAGING AND PROCESSING COMMUNICATIONS RECEIVED.

a) Issuance of the communication by the informant and its content. The informant may submit the communication through any of the methods detailed in section 1, with the preferred channel being the online form.
For proper management and analysis of received communications and the facts contained therein, all communications must contain the following data:

  • Explain the events in as much detail as possible, indicating the dates they occurred, whether they were one-off or ongoing, and whether they are still occurring.
  • Identify the person(s) involved, whether they committed the acts, were victims, or were aware of them.
  • Attach all documents and information regarding the reported events that justify the complaint.
  • Provide, if the informant so wishes, a contact method in case Suarez deems it necessary to contact them to expand on the information provided through the communication. At the informant's discretion, communication submitted through the form may be anonymous, allowing the informant to choose whether to provide their information or not. In any case, whether the communication is anonymous or not, the entire process of handling it, from receipt of the communication to the conclusion of the investigation and resolution of the case, will remain confidential.

b) Receipt of the communication. The System Manager designated by the Administrative Body at any given time will be the one who receives the communications made to the Suarez Ethics Channel. Once the communication has been received, the System Manager will send the informant the acknowledgment of receipt of the communication within a period not exceeding (7) seven calendar days following its receipt, unless this may jeopardize the confidentiality of the communication.

c) Communication analysis. The submitted communication is reviewed by the System Manager, after applying the corresponding conflict of interest filter to ensure objectivity and independence in the analysis and resolution of communications.
Once the conflict of interest has been ruled out, the System Manager will contact the department or departments involved or that may be related to the communication to conduct the relevant investigation and request the informant, if contact is possible, any additional information or documentation deemed necessary to resolve the case.
The maximum period for responding to investigative actions and issuing the corresponding report may not exceed three months from the date of receipt of the communication.

d) Rights of the affected person. Any affected person who is accused of actions or omissions in a communication will be informed and heard in the time and manner that the System Manager, along with the departments involved in the investigation, deem appropriate to ensure the successful completion of the investigation.
Absolute respect for the presumption of innocence and the right to honor of the affected persons will be required at all times.

e) Resolution of the communication and issuance of the final report. Based on the investigation report, a decision will be made as to whether or not measures should be taken, and, if applicable, the notification will be archived.

5. CONFIDENTIALITY GUARANTEE.

All information provided by the informant through their communication will be treated confidentially. The confidentiality of any communication is also guaranteed when it is sent through reporting channels other than those established in section 1 or to staff members not responsible for its processing. These staff members will have been trained in this matter and warned of the classification of a breach of the confidentiality obligation as a very serious violation. Furthermore, the recipient of the communication is required to immediately forward it to the System Manager.

6. PROTECTION OF PERSONAL DATA.

The processing of personal data will be governed by the provisions of Title VI of Law 2/2023, of February 20, regulating the protection of persons who report regulatory breaches and the fight against corruption, in Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, in Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, in Organic Law 7/2021, of May 26, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal penalties, and in this title.
Personal data that is not clearly relevant to the processing of a specific information will not be collected, or if collected accidentally, it will be deleted without undue delay.

a) Contact details of the data controller and the data protection officer In accordance with the provisions of Regulation (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of your personal data (hereinafter, the "GDPR"), Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, "LOPDGDD") and Law 2/2023, of February 20, regulating the protection of persons who report regulatory breaches and the fight against corruption ("Informant Protection Law"), as well as other applicable regulations on the protection of personal data, Suárez will process the data collected through the Ethics Channel as the data controller. For this purpose, the identification data of the company that will process the data is: SUAREZ TRADING, SL Registered office:

Gran Vía 40 bis, 3º 48009 Bilbao (Vizcaya) Spain. CIF: B95352936 Email: lopd@joyeriasuarez.com If you have any questions or queries, you can contact our data protection officer by sending your request to lopd@joyeriasuarez.com

b) Type of personal data processed. Use of the Ethics Channel and the inclusion of personal data is voluntary. If you provide your personal data to us directly or if a third party provides it to us through the channel, we may process the following personal data:

Type of interested party

Categories of data and data subject to processing
Nominal complainant
  • Identification data: name and surname.
  • Contact information: email.
  • Evidence: photographs or documents that can prove the reported facts, including employment, tax, etc. information.

Anonymous whistleblower (The whistleblower can send messages anonymously. In these cases, we will not process personal data.)

  • Pseudonym, if used.
  • Contact information, if provided: email.
  • Evidence: photographs or documents that can prove the reported facts, including employment, tax, etc. information.
Person reported
  • Identification data: name and surname.
  • Data associated with the reported conduct: employment data, tax data, financial data, etc., if provided during the investigation.
  • Evidence: photographs or documents that can prove the reported facts.
Witness
  • Identification data: name and surname.
  • Contact information: email, phone, etc.
  • Data associated with the reported conduct: employment data, tax data, financial data, etc., if provided during the investigation.
  • Evidence: photographs or documents that can prove the reported facts.
Third parties
  • Identification data: name and surname.
  • Contact information: email, phone, etc.
  • Data associated with the reported conduct: employment data, tax data, financial data, etc.
  • Evidence: photographs or documents that can prove the reported facts, if provided during the investigation.

When sending a message or additional information, you have the option to attach evidence. If you wish to send a message anonymously, please be aware that attachments may contain personal information that may compromise your anonymity. Delete this information before sending the files.

c) Purposes of processing We will process your personal data, the information and documents you provide us with for the purpose of processing, investigating and proposing resolutions on communications and complaints related to possible criminal acts or regulatory and ethical breaches received through this channel, in accordance with the provisions of the Procedure and the Policy of the Complaint Management System, as well as the Suarez Code of Ethics.
Additionally, certain information may be processed to provide evidence of the system's operation; this information will be stored anonymously.

d) Legal basis for processing The legal basis for processing your data is compliance with a legal obligation, pursuant to the provisions of Article 30 of the Whistleblower Protection Act (Article 6.1.c) of the GDPR). If the data is considered a special category, processing is exempt in accordance with the provisions of Article 30 of the Whistleblower Protection Act, in conjunction with Article 9.2.g) of the GDPR, as it is necessary for reasons of essential public interest.

e) Data retention period in the Ethics Channel. Personal data processed for this purpose will be retained in the Ethics Channel only for the time necessary to decide whether to initiate an investigation into the reported events. In any case, three months after the data was entered, it must be deleted from the Ethics Channel. If it is decided to initiate an investigation, the personal data will be retained outside the reporting channel for the duration of the investigation. If the investigation results in the adoption of certain measures against the persons under investigation, the data will be retained as long as the appropriate legal action persists.
Once the corresponding retention period expires, the data will be duly blocked and retained to demonstrate compliance with regulations regarding the provision of an ethics and compliance model at Suárez in accordance with the requirements of Article 31 bis of the Criminal Code.

f) Access to the Ethics Channel In general, access to data will be limited exclusively to those who are part of governing bodies related to compliance functions (members of the Suárez Corporate Ethics and Compliance Committee and, where applicable, the Ethics and Compliance Advisory Council), and/or to internal or external investigators (the latter as data processors) who may be appointed. Likewise, when disciplinary measures are to be adopted against Suárez personnel, such access will also be permitted to personnel with management and control functions within the Suárez Human Resources area.

g) Recipients of the data Your data will not be transferred or made available in any way to any third party, except to those legal service providers.
Without prejudice to the foregoing, personal data from complaints may be communicated to law enforcement agencies, judges or courts, as well as any other competent body if required in compliance with current legislation.
In particular, in the case of individuals from Suarez companies located outside the European Economic Area, international transfers of data may be made provided that it is strictly necessary to resolve the case reported through the Ethics Channel. Where appropriate, Suarez will adopt appropriate measures to ensure that your personal data remains protected as established in this document and will apply the appropriate mechanism in each case in accordance with the GDPR when transferred outside the EEA. Likewise, we ensure that any third party that receives your personal data has implemented appropriate security measures to protect said data.

h) Automated decisions and profiling Under no circumstances will Suarez make automated decisions with your data or create profiles.

i) International transfers Suarez has several subsidiaries, so it is possible that, if necessary depending on the specific case and after conducting the corresponding investigation, your data may be processed outside the European Union or the European Economic Area.

In any case, Suárez will ensure that such data processing is always protected with the appropriate safeguards, which may include, among others, the signing of standard contractual clauses approved by the European Commission. These clauses consist of contracts approved by the Commission that provide sufficient guarantees to ensure that the processing complies with the requirements established by the GDPR.

j) Exercise of rights You may exercise, at any time and free of charge, your rights of access, rectification, deletion, restriction of processing, data portability, and objection, expressly indicating which of the aforementioned rights you wish to exercise. You can direct your request to the following addresses:

  • By sending an email to lopd@joyeriasuarez.com
  • By postal mail addressed to Suárez Trading, SL at the registered office at Gran Vía 40 bis, 3º, 48009 Bilbao (Vizcaya), Spain. We will consider all requests and provide our response within the time period established by applicable law. Please note, however, that the rights of access, erasure, and objection may be limited while the investigation into the reported facts is ongoing or while judicial or extrajudicial action is being taken regarding them. The identity of the complainant must be preserved to satisfy the interests of Suárez or to comply with a legal obligation. In any case, you have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es), located at C/Jorge Juan No. 6, 28001 Madrid, if you consider that Suárez has violated the rights granted to you by applicable law.

7. FORWARDING OF INFORMATION TO THE PUBLIC PROSECUTOR'S OFFICE

When the facts could be indicative of a crime, the System Manager will immediately forward the information to the Public Prosecutor's Office. If the facts affect the financial interests of the European Union, it will be forwarded to the European Public Prosecutor's Office.

8. SYSTEM ABUSE, FALSE COMPLAINT AND COMMITMENT TO NON-RETALIATION.

Users who use the Ethics Channel in good faith will not suffer any type of retaliation as a result of their use of the system, nor will they face any type of sanction from Suarez.
Suárez will guarantee adequate protection of privacy and personal data, as well as the preservation of the honor, presumption of innocence, and right to defense of those accused, particularly against unfounded, false, or malicious accusations. The appropriate disciplinary measures will be taken, where appropriate.
Likewise, you must ensure that the personal data provided through the Ethics Channel is true, accurate, complete, and up-to-date.