TIRME has a Code of Ethics.

The prime objective is to work with all TIRME’s employees and stakeholders in order to create a framework for co-existence and self-responsibility.

1. All members of the company are required to comply with the principles of legality, transparency, veracity, trust and good faith when carrying out their functions.

2. Company staff must not commit any illegal actions related to the execution and compliance of the activities their position involves.

3. All members of the company shall have equal conditions and opportunities without regard to race or ethnicity, religion, ideology, nationality, gender, sexual orientation/identity, age, disability, diversity, political affiliation, trade union membership, illness, serological status, genetic predisposition to disease, language, socio-economic status, or any other personal or social circumstances.

4. Freedom of conscience and the religious and moral convictions, integrity and privacy of all persons shall be respected.

5. All persons shall be treated fairly and with dignity and respect, including staff belonging to other companies who are working temporarily at TIRME’s facilities.

6. No form of intimidation, direct or indirect discrimination, harassment of any type, unlawful or degrading treatment of any person by any colleague and/or superior at all levels, abuse, coercion or any other type of unprofessional actions shall be tolerated. Particular efforts shall be taken to safeguard the integrity and rights of any minors visiting the company’s facilities.

7. Under no circumstances shall any form of aggression against personal dignity be tolerated. This includes sexual aggression, violent actions and/or physical or verbal threats, aggressive, derogatory and/or inappropriate conduct.

8. Likewise, conduct against sexual freedom and moral integrity at work shall not be tolerated, in particular sexual harassment and harassment on the grounds of sex.

9. All persons shall make all possible efforts to comply with the responsibilities assigned to them. Continued and voluntary reduction in performance at work shall not be tolerated.

10. Acts of indiscipline, understood as the conscious and wilful failure to comply with the obligations of the contract, as well as acts of direct disobedience of orders given by line managers related to their functions and tasks in the company, shall not be tolerated.

11. Employees must not work under the influence of substances that may affect their organism, preventing them from carrying out their tasks in the correct manner and compromising their safety. Likewise, the consumption of alcohol is not allowed during working hours.

12. Smoking and eating is not permitted, except in the specifically designated areas.

13. Employees who are unable to attend work for any reason must inform their line manager immediately. The reason for this absence must be later justified by means of an official document. Furthermore, any instances of tardiness must be immediately reported to the line manager, specifying the cause.

14. Uniforms must not be worn for any other activities other than those corresponding to carrying out tasks at TIRME.

15. TIRME employees must at all times take due care of the infrastructures and equipment used whilst carrying out their work on the company premises, as well as maintaining proper order and cleanliness.

16. Measures shall be taken to ensure the responsible and efficient use of natural resources, adopting a preventive approach to environmental issues and avoiding all actions that may damage or harm the environment, complying at all times with the environmental legislation in force.

17. All staff must take responsibility for their own actions to the best of their ability in order to ensure that occupational safety objectives are met. All members of the organisation are responsible for safeguarding the integrity of others and for maintaining a safe working environment. It is forbidden to carry out, provoke or collaborate in any behaviour, which individually or collectively could endanger employees’ personal integrity and/or that of their fellow workers. All members of staff must report any situations of danger to their line manager, as well as the possible inefficiency or unsuitability of individual or collective personal protective equipment that guarantees occupational safety.

18. Employees many only negotiate agreements on behalf of the company when they have been expressly authorised to do so. Contracts and agreements may only be formalised in accordance with the models or clauses authorised by TIRME.

19. Employees shall abstain from using any types of material in their work that have not been previously authorised by the owners thereof and that may imply a breach of industrial and intellectual property rights.

Employees shall use the company’s industrial and intellectual property rights solely for the purpose of their activity.

20. No member of the organisation, when carrying out their duties and/or acting on behalf of the organisation, may misrepresent or omit relevant information in their dealings with third parties.

21. Each person is responsible for the information generated and handled in relation to the functions associated with their position and shall always act in accordance with the principle of confidentiality, which must be maintained and abided by even when their professional relationship with TIRME comes to an end. In particular, they must safeguard personal or family data, including their own and those of all other persons that have professional dealings with the company. It is strictly forbidden to use such data for any other purpose than that associated with their position and/or the pre-established objectives.

22. TIRME's employees must make prudent use of the company's assets and ensure that its assets do not suffer loss or damage. Likewise, they must preserve the confidentiality, integrity and availability of the organization's information. Any breach of security resulting in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data must be reported via email to lopd@tirme.com.

23. IT facilities and/or electronic devices that are the property of the company (Internet, e-mail, telephone, photocopier, etc.) must be used solely for company activities. They may not be used for non-business purposes, illicit purposes, purposes that may damage the image or interests (of the company, the service, the staff or third parties) or that may affect the correct functioning of IT resources. All TIRME personnel are required to use these resources in a responsible, professional, ethical and legal manner. Controls are in place to monitor their correct use.

24. It is forbidden to access third party applications or IT hardware without prior documented authorisation from said parties.

25. No person may disseminate information or make copies of company software or documents for their personal use or that of other persons.

26. Accepting any type of gifts, invitations, favours or other forms of compensation from customers or suppliers is considered a breach of professional ethics, unless they are mere courtesy gifts of token value.

27. It is forbidden for any employee to make payments or offer unjustified gifts or benefits, which could be considered improper, disproportionate or illegal in accordance with the regulations, to any person or entity, public or private. Corporate gifts, previously authorized by the designated personnel, may be given to promote the image of the TIRME brand. In no case may gifts exceed 200 euros. In the case of civil servants, gifts, travel and entertainment of any amount are prohibited. Initiatives in the context of social action (donations, specific contributions and/or sponsorships) must comply with the guidelines established in procedure PR00-AD-06 Social Action. In case of doubts regarding this policy, consultation shall be made through the ethics channel.

28. All due efforts must be made to prevent any conflict of personal or family interests with those of TIRME. Should such conflicts arise, they must be reported to Criminal Compliance via the ethics channel.

29. Likewise, it is forbidden to use friendship or kinship with public officers to obtain favourable treatment, whereby they act or fail to act in a breach of the law, causing them to abuse or misuse their position, improperly obtaining or retaining business, or securing an undue advantage (e.g. granting of a licence, relevant information on tenders or bids, fixing favourable prices, etc.).

30. All necessary due diligence measures must be applied prior to establishing any commercial relationships. Employees shall abstain from engaging with customers, advisors and business partners in the event of doubts regarding the lawful conduct of their business or the lawful origin of their financial assets. Likewise, they shall cooperate actively with the competent authorities in the prevention of money laundering and financing of terrorism.

31. Professional conduct is urged at all times, complying with the obligations acquired and guaranteeing the payment of debts to suppliers and all other third parties. It is forbidden to dispose of, transfer or conceal any property owned by the company for the purpose of evading compliance with its liabilities to creditors.

32. All company staff must comply with the measures stipulated in the Criminal Risk Prevention Manual, cooperating with their line managers and collaborators in order to ensure the correct compliance therewith.

33. All members of the company are required to report any suspicion or evidence of a crime committed by fellow workers or third person and also to comply with this code. To this end, a direct and confidential channel has been set up with the Compliance Officer via a direct link available on the TIRME website and the intranet, managed in accordance with regulation N014 Ethical Channel Management

34. Any company employee who misleads, obstructs or fails to cooperate with investigations into possible breaches of this Code of Ethics shall be subject to disciplinary action.

35. The Compliance Body, which is responsible for drawing up this Code of Ethics, reserves the right to issue any regulations of implementation that may be necessary for the development of its provisions and undertakes to ensure that it is constantly updated, adapting it to the social and legal situation at any given time.

Matters to be reported via the Ethics Channel

Any person is obliged to:

- Report in good faith, and on the basis of reasonable indications, circumstances that may involve the materialisation of a criminal risk to the organisation, as well as breaches or weaknesses in the compliance management system.

- Report any suspicion or evidence of wrongdoing by co-workers or others and to comply with this code.

- Report any behaviour or action that is criminal or that contravenes current legislation or the corporate principles of Tirme S.A.

In accordance with the provisions of the aforementioned Law 2/2023, reports must always be made in good faith, thus implementing a "culture of fairness", which means that the whistleblower must have reasonable grounds to believe that the information provided is true and that it contains possible infringements.

Reporting procedure

Access to the ethics channel and steps to be taken when submitting a complaint

For this purpose, there is a direct, confidential and anonymous channel, installed on the Whistlelower Software digital platform, which communicates directly with the Compliance Officer. The system has been configured so that Tirme's Legal Advisor simultaneously receives information from this new communication channel, as an additional guarantee of objectivity and independence.

The TIRME Ethics Channel can be accessed via the following link, which will take you to the report form:

https://whistleblowersoftware.com/secure/98a32917-4f45-41b7-8699-4887efb9ecda.

This link is accessible both on the TIRME intranet and on the website.

The whistleblower has two options to process their complaints/communications:

a) Verbal communication;

b) Written communication.

At the whistleblower's request, it may also be submitted by means of a face-to-face meeting within a maximum period of seven days. Where appropriate, the informant will be warned that the communication will be recorded and will be informed of the processing of his/her data in accordance with current Data Protection regulations.

The minimum information to be provided through the channel form is:

1. Subject. Summarised form, in the form of a title, of the facts on which the complaint is based.

2. Description of the facts. Detailed description of the events.

3. Facility associated with the event. TIRME facility drop-down to select the location where the events occurred. Several options can be selected, if applicable. If the event did not occur in any of the installations that appear in the drop-down menu or if you do not know the installation to which it belongs, you can select the option "Others".

4. Possible offence committed. This drop-down list shows a catalogue of criminal offences listed in the Penal Code. In the event that the conduct is not identified with any of the offences that appear in the drop-down menu, select the option "Others".

To help you identify them, a document is available on the "Definitions" page which gives a brief description of each offence.

5. Who committed the offence? o Identity of the offender. Names of the persons involved in the commission of the fraudulent act.

6. On what date did the offence occur? Calendar where you can select the date on which the offence was committed. If the same event has occurred on several occasions, this should be specified in the section "Description of the events".

7. What is your relationship with the company? Select the stakeholder group to which the person making the complaint belongs.

8. Have you taken any action as a consequence of what happened? Details of the actions that have been taken as a consequence of what has happened.

9. Files. Field for attaching any type of document that accredits the facts described, whether it be an image, a video, a document, etc.

Identification when filing a complaint. Anonymity

When a complaint is made, the platform itself will assign passwords to which the complainant will have access, and it is the complainant's responsibility to protect the secrecy of these passwords and to remember them.

The platform allows reports to be made anonymously. However, we encourage the complainant to identify him/herself by providing his/her name, function and contact details when making a complaint. This will enable the staff dealing with the complaint to contact the complainant in order to help the investigation to be more effective.

The platform also has information security measures in place, aimed at preserving the integrity, availability and confidentiality of the information.

In the event that a report is made anonymously, but there is data that allows the complainant to be identified, the platform will immediately remove all metadata that allows the complainant to be identified.

The reporting system does not record the IP address or the ID of the computer on which the concern is raised and the system does not use cookies.

Processing of communications

Receipt and assessment

Once the complaint received by the Compliance Officer has been registered, the Compliance Officer must resolve the query or assess whether to open an investigation procedure within a maximum period of 7 days. The response to the query or the decision adopted in response to the complaint must be communicated to the complainant within a maximum period of 7 days and will be made through the same platform, where he/she will be able to access with his/her access codes.

Opening of the procedure

In the event of opening the procedure, either ex officio or at the request of a party, all the organisation's mechanisms will be set in motion to clarify the facts, and all the organisation's personnel will be obliged to collaborate with the Compliance Officer, whenever required to do so.

Investigation procedure

The Compliance Officer, together with the Support Unit where necessary, will be the body in charge of the investigation, and may outsource part/s of the investigation when the facts so require, always complying with a series of basic principles such as the duty of confidentiality, security and anonymity (where applicable).

In accordance with current legislation and in order to ensure that the investigation does not take longer than is strictly necessary, the Compliance Officer must resolve the investigation procedure within a maximum period of 3 months from receipt of the complaint, or if no acknowledgement of receipt was sent to the complainant, within three months from the expiry of the 7-day period following the complaint, except in cases of special complexity that require an extension of the period, in which case, this may be extended for a maximum of a further three additional months.

Hearing of persons under investigation

Any person denounced and/or under investigation will have a period of 10 working days, starting from the moment the Compliance Officer notifies them of their status, to make allegations and provide any evidence they deem appropriate.

During the course of the procedure, the persons under investigation are offered all the legally established guarantees and rights. They shall have the right to the presumption of innocence, the right of defence and the right of access to the file under the terms regulated in this law, as well as the same protection established for informants, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

At the time of hearing the person/s under investigation, TIRME shall inform them of the processing of their personal data, within the framework of the investigation carried out, in order to effectively comply with data protection obligations.

Under no circumstances will the identity of the informant be communicated to the subjects concerned, nor will access to any communication be given.

Procedure for adopting measures

If, as a result of the investigation, the reality of the reported facts is accredited and the person/s responsible for them can be determined, the appropriate measures will be adopted with regard to the reported person.

However, if as a result of the investigation the truth of the facts is accredited, but it is not possible to determine the person/s responsible for them, the Compliance Officer will inform the Board of Directors of this circumstance, proceeding to register and file the file.

The reporting person will be guilty of committing a serious labour offence if the result of the investigation proves that he/she has knowingly informed the Compliance Officer of false or misleading facts and/or has acted in bad faith.

Guarantees of the sender

All those who transmit their notifications will have the following guarantees:

- Single recipient: Compliance Officer and Legal Advisor of TIRME.

- Identity protected with maximum confidentiality, security and anonymity (if applicable).

- Prohibition of acts constituting retaliation, including threats of retaliation and attempted retaliation against persons who submit a communication in accordance with the provisions of these regulations. communication in accordance with the provisions of this regulation for a period of 2 years. After the expiry of the two-year period, a person whose rights have been violated as a result of his or her communication or disclosure, may apply to the competent authority for protection.

- Requirement of respect for the presumption of innocence and the honour of the persons concerned.

- Processing of personal data in accordance with the data protection regulations in force.

- Use of the information provided in a complaint only for legitimate purposes in relation to the investigation to be initiated.

Protection of personal data

TIRME's Ethical Channel complies with Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights and with the General Data Protection Regulation, as well as the considerations established in this area in Law 2/2023.

The personal data provided through the Internal Communication System, as well as those processed as a result of an internal investigation, shall only be processed for the purposes set out in these regulations.

In any case, TIRME will collect the personal data essential to process specific information in relation to the communications received. If collected by accident, unnecessary personal data will be deleted without undue delay.

Compliance with the principles of information and transparency with respect to the communicating person is carried out through the informative clause included in the communication form of the Ethical Channel, as well as in the content of these regulations. Likewise, witnesses or reported persons will also be adequately informed about the processing of their data within the framework of the investigations, in accordance with the obligations established in the data protection regulations in force.

Pursuant to article 32 of Law 2/2023, access to personal data contained in the Internal Information System is limited to:

- The Compliance Officer, in her capacity as Head of the Internal Information System and, failing this, the Compliance Advisor. The Compliance Officer, in his or her capacity as Head of the Internal Information System and, failing this, the Legal Department.

- If applicable, Human Resources or the competent duly designated body, only when the duly designated, only when disciplinary measures may be taken against an employee. disciplinary action against an employee.

- TIRME's Legal Department, in the event that legal action should be taken in relation to the facts in relation to the facts described in the communication.

- Those professionals or external companies contracted to collaborate with the management and investigation of the communications received, acting in the capacity of TIRME's Data Processors.

- If applicable, TIRME's Data Protection Delegate.

In the event of communication of data or contracting of services from third parties that imply access on behalf of TIRME, the company will adopt the necessary technical and contractual measures to guarantee the appropriate confidentiality and protection of the personal information of the interested parties.

The data of the person providing the information and of the other parties involved may be communicated to the courts or tribunals, the Public Prosecutor's Office, the State Security Forces and Corps and other competent authorities when necessary for the processing of legal proceedings which, where appropriate, may arise as a result of the investigations carried out as a result of the communications made. Likewise, when the financial interests of the European Union are affected, the European Public Prosecutor's Office must be informed.

The holders of the personal data may exercise their rights of access, rectification, suppression, opposition and limitation to processing, in accordance with the provisions of current personal data protection regulations, by sending an e-mail to the following address: lopd@tirme.com. In any case, the exercise of such rights by the reported person will not imply the communication of the personal data of the communicating party.

Deadlines and document retention

A record book shall be kept of the infringements received and of the internal investigations to which they have given rise within the platform itself, guaranteeing the confidentiality requirements provided for in this law.

The personal data processed shall be kept in the Internal Information System or Ethics Channel for the time required to decide on the appropriateness of initiating an investigation into the facts reported.

In any case, after three months have elapsed from the receipt of the communication without any investigation having been initiated, the data must be deleted from the Information System, unless the purpose of the retention is to leave evidence of the functioning of the model for the prevention of the commission of offences by the legal person. Communications that have not been followed up may only be recorded in anonymised form, and in such cases the obligation to block provided for in Article 32 of the LOPDGDD does not apply.

Once the period mentioned in the previous paragraph has elapsed, the data may continue to be processed for the purpose of investigating the facts reported.

However, in the event that the corresponding investigation is initiated, the personal data will be kept in the corresponding internal systems for the time required to resolve the case. Subsequently, personal data may be kept duly blocked, for the sole purpose of responding to claims and corresponding legal requirements:

- For a period of 5 years in order to meet possible claims or contractual liabilities. contractual liabilities.

- For a maximum period of 10 years, especially in cases where there is evidence of criminal offences. for a maximum period of 10 years, especially in cases where indications of criminal offences are found.

External reporting channel of the independent authority for whistleblower protection

The Independent Whistleblower Protection Authority, IAI, or the corresponding regional authorities or bodies, may also be informed of the commission of any actions or omissions included in the scope of application of this law, either directly or after notification through the corresponding ethical channel of TIRME.

- Infringement of these regulations will lead to the adoption of disciplinary measures regulated in the current TIRME Collective Bargaining Agreement - Disciplinary Regime.

- These mandatory regulations can also be obtained through the intranet www.tirme.net and the website www.tirme.com