Whistleblower Policy

Introduction

Corins strives for an open and honest culture. A culture where reports of suspected misconduct (hereinafter: ‘Report’) can be made in a careful, safe, and confidential manner. The Whistleblower Policy (hereinafter: ‘Policy’) explains how matters that may affect the integrity and controlled business operations and/or the reputation of Corins can be reported safely and confidentially. Corins considers it important to be informed of suspicions of misconduct so that action can be taken. Therefore, Corins encourages employees to report, so that possible misconduct can be resolved. Every Report, whether anonymous or not, is handled by the Risk Manager.

This Policy has been drawn up in accordance with the obligations in the Whistleblower Protection Act. Appendix 1 explains the other definitions used in this Policy.

Purpose and Scope of the Policy

The Policy applies to Corins and is intended solely for reporting a suspicion of misconduct. The application of the Policy follows from the Whistleblower Protection Act, Article 2, paragraph 6, and applies to all employees who work, have worked, or will work for Corins, and to third parties. Suspicions of misconduct can be reported via Corins’ whistleblower policy. Since Corins is part of ASR Nederland N.V., a report can also be made via the whistleblower policy of ASR Nederland N.V. (website: https://www.asrnl.com/about-asr/governance-and-organization/policy-and-guidelines).

Misconduct

Misconduct is understood to mean:

1. An act or omission where the public interest is at stake in:

A violation or danger of violation of:

• A legal provision
• Internal rules that contain a specific obligation and that have been established by Corins based on a legal provision

A danger to:

• Public health
• The safety of persons
• The environment
• The proper functioning of Corins as a result of improper conduct or omission

The public interest is at stake if the act or omission does not only affect personal interests and there is either a pattern or structural character, or the act or omission is serious or extensive.

2. A violation or danger of violation of European Union law, namely an act or omission that:

• Is unlawful and relates to actions and policy areas of the European Union that fall within the material scope
• Undermines the purpose or application of the rules in the actions and policy areas of the European Union that fall within the material scope

Limitation of the Scope of the Policy

The Policy is not intended for:

• Complaints from a Corins employee about employment law and/or employment conditions. In that case, the employee can contact their supervisor and/or a legal supporter such as a union and/or a legal aid provider
• Complaints from an employee about undesirable behavior. This includes any form of behavior of a sexual and/or otherwise offensive, intimidating, or insulting nature. For example, bullying and discrimination. In that case, a complaint can be submitted via the external confidential advisor of HumanCapitalCare
• Complaints about decision-making in the assessment of insurance technical issues. These complaints can be reported to the complaints coordinator

The Report

A Report can be made in the following ways:

1. In writing, to the Whistleblower Reporting Office of Corins by emailing meldpuntklokkenluider@corins.nl. Only the Risk Manager has access to this office
2. Orally, through a telephone conversation with the Risk Manager
3. At the request of the Reporter, within a reasonable period, through a meeting on location with the Risk Manager. This request can be made by contacting the Risk Manager
4. By phone via the number +31 20 301 7775
5. Anonymously in writing, by sending an email to the Whistleblower Reporting Office (meldpuntklokkenluider@corins.nl) from an anonymous and one-time-use email address, or by sending an anonymous letter to Corins, Gatwickstraat 19, 1043 GL Amsterdam, addressed to the Risk Manager, or anonymously by phone via the number +31 20 301 7775. The Reporter who makes an anonymous Report must be aware that they cannot be informed about the assessment and follow-up of the Report

A suspicion of misconduct can be reported both internally and externally. See Chapter 3 for this.

The Reporter has the right to consult an advisor confidentially about a suspicion of misconduct. Externally, this advice can be obtained from the Advice Department of the House for Whistleblowers (see huisvoorklokkenluiders.nl/ik-vermoed-een-misstand) or, for example, from a lawyer or a legal aid provider of a trade union.

After Receiving the Report

A Reporter receives an acknowledgment of receipt within seven days after the Report is received (unless this is not possible because the Report was made anonymously). Every Report is registered in an internal register and kept no longer than necessary in line with Corins’ retention policy. This register is only accessible to the Risk Manager. A Report made by phone or through a meeting on location is registered by:

1. Recording the conversation in a durable or retrievable form with the prior consent of the Reporter
2. A complete and accurate written record of the conversation. The Reporter is given the opportunity to check, correct, and sign the written record for approval

Follow-up of the Report

A Report is carefully assessed by the Risk Manager. In assessing the Report, the circumstances, the available factual information, and the information and any documentation provided by the Reporter are taken into account. If necessary, an investigation is initiated. Within three months after sending the acknowledgment of receipt mentioned in 2.2, the Reporter is provided with information about the assessment and, if applicable, the follow-up of the Report.

• After assessing the Report, the conclusion may be that no follow-up is given to the Report, for example, because the Report does not concern a suspicion of misconduct or the Report has already been made and there are no new facts. If the Report concerns an issue for which another internal procedure is available, the Reporter will be referred to that specific procedure
• If the assessment is that the Report concerns a suspicion of misconduct, the Risk Manager determines whether and what investigation is needed as a result of the Report. An investigation is carried out on behalf of the Risk Manager

Conducting and Recording the Investigation and Findings

As part of an investigation, the Reporter and other involved parties are interviewed by the investigators, where possible. The conversations are recorded in writing or, with the consent of the involved parties, recorded. Interview reports are submitted to the Reporter or other involved parties for approval, who are given the opportunity to check, correct, and sign the report.

The Risk Manager informs the Executive Director of the outcome of the investigation and the advice on any further actions, where possible. The Executive Director decides based on the advice whether and what action is appropriate. The Executive Director informs the Risk Manager of the decision.

The Report and the underlying information (investigation, report, etc.) are not kept longer than strictly necessary in accordance with the Retention Policy.

Confidentiality of Confidential Information

Corins handles the information from a Report and the personal data of the Reporter confidentially. The officials involved in the Report or the investigation who have access to information of which the confidential nature is known or reasonably should be suspected, are obliged to keep this information confidential. Unless Corins has a legal obligation to share information. The exchange of information is limited to persons on a need-to-know basis.

Confidential information includes at least:

• Data about the identity of the Reporter and the person to whom the suspicion of misconduct is attributed or with whom the person is associated, and information traceable to it
• Information about a trade secret

The identity of the Reporter and the information from which the identity of the Reporter can be directly or indirectly traced will not be disclosed without the express written consent of the Reporter. It is possible that in the context of an investigation by a competent authority (e.g., the supervisor) or a judicial procedure, the obligation arises to disclose the identity of the Reporter. In that case, the Reporter will be informed in advance by means of a written explanation of the reasons for disclosing the information about the identity of the Reporter, unless this could jeopardize the investigation or judicial procedure.

External Reporting

Reporters can choose to report a suspicion of misconduct externally as well. An external report of a suspicion of misconduct can be made to the competent authorities listed in Appendix II of this Policy. Corins encourages Reporters to first report a suspicion of misconduct internally through the procedure in this Policy. This gives Corins the opportunity to first assess and adequately and decisively address and resolve a suspicion of misconduct.

Reports of a suspicion of misconduct to the competent authorities can be made in the following ways:

1. In writing
2. Orally
3. At the request of the Reporter within a reasonable period through a meeting on location

The reporting procedures at the competent authorities can be found on the various websites of the competent authorities.

Protection Against Retaliation

Protection of the Reporter

Reports under this Policy are seen as a contribution to improving the functioning of Corins, and Corins encourages employees to report so that possible misconduct can be resolved. Corins will not retaliate against a Reporter who has reasonable grounds to believe that the reported information is correct at the time of reporting a suspicion of misconduct (internally or externally) during and after its handling. If the Reporter feels that they are being retaliated against, they can always discuss this with the Risk Manager. The Reporter of a suspicion of misconduct is protected against legal proceedings under the Whistleblower Protection Act.

Protection of Other Involved Parties

The provisions in 4.1 also apply to those who assist a Reporter (e.g., the confidential advisor), an involved third party, the person to whom the Report is made, or those who carefully follow up on the Report.

Malicious Intent of the Reporter

If an investigation reveals that a Reporter has made a report of a suspicion of misconduct (internally or externally) out of malicious intent or with the intention of deliberately harming another person or Corins, this will be coordinated with the Executive Director or a designated deputy director, and further investigation will take place.

Cooperation

Corins values that its employees work in a safe and honest work environment. Due to its duty of care, Corins is obliged to effectively follow up on a Report if a safe and honest work environment is at stake. Therefore, Corins has an interest in ensuring that every involved employee fully cooperates with a possible investigation and may require this from involved employees in accordance with its right to give instructions.

Publication of the Policy

The Policy is made available through publication on the Corins website. For employees, the Policy is also made available via email and publication on the X-drive under Personnel Affairs.

Appendix I – Definitions

Retaliation / Retaliate:

1. Dismissal or suspension
2. A fine as referred to in Article 7:650 of the Dutch Civil Code
3. Demotion
4. Denial of promotion
5. Negative evaluation
6. Written reprimand
7. Transfer to another location
8. Discrimination
9. Intimidation, bullying, or exclusion
10. Defamation or slander
11. Premature termination of an agreement for the supply of goods or services
12. Revocation of a permit

Retaliation also includes a threat of and an attempt at retaliation.

Involved Third Party:

1. A third party connected to a Reporter (such as a colleague or family member) who may face retaliation by Corins or a person or organization with whom the Reporter is otherwise connected in a work-related context
2. A legal entity owned by the Reporter, for which the Reporter works, or with which the Reporter is otherwise work-relatedly connected

Competent Authority: The competent authorities listed in Appendix II.

Executive Director: The chairman of the statutory board of Corins.

Material Scope:

Violations that fall within the scope of the actions of the European Union listed in the appendix to the Directive and relate to the following areas:

1. Public procurement
2. Financial services, products, and markets, prevention of money laundering and terrorist financing
3. Product safety and product compliance
4. Transport safety
5. Environmental protection, radiation protection, and nuclear safety
6. Food and feed safety, animal health, and animal welfare
7. Public health
8. Consumer protection
9. Financial interests of the Union (including anti-fraud)
10. The internal market of the Union (including free movement of goods and services, competition, state aid, tax advantage)
11. Protection of personal privacy, personal data, and security of network and information systems

Violations that harm the financial interests of the European Union, as referred to in Article 325 TFEU and further explained in relevant Union measures.

Violations related to the internal market, as referred to in Article 26, paragraph 2 TFEU, including violations of European Union rules on competition and state aid, as well as violations related to the internal market and actions that are contrary to the rules of corporate taxation or constructions aimed at obtaining a tax advantage that undermines the scope or purpose of the applicable corporate tax law.

Employee: A person who performs work under an employment contract or otherwise in a subordinate relationship for compensation for Corins.

Reporter: A natural person who reports or discloses a suspicion of misconduct in the context of their work-related activities.

Report: Reporting a suspicion of misconduct.

Policy: This Whistleblower Policy.

Directive: The European Union Whistleblower Directive (Directive (EU) 2019/1937 of the European Parliament and the Council of 23 October 2019 (OJ 2019, L 305)).

Risk Manager: The Risk Manager of Corins, or the designated deputy Risk Manager.

Suspicion of Misconduct: The suspicion of a Reporter that within Corins, for which the Reporter works or has worked, or at another organization if the Reporter has come into contact with Corins through their work, there is misconduct, provided the suspicion is based on reasonable grounds arising from the knowledge the Reporter has gained at their employer or from the knowledge the Reporter has obtained through their work at another company or organization.

Work-related Context: Future, current, or past work-related activities through which, regardless of the nature of those activities, persons can obtain information about misconduct and may face retaliation if they report such information.

Appendix II – Competent Authorities

The competent authorities responsible for receiving and following up on a report of a suspicion of misconduct are:

1. The Authority for Consumers and Markets
2. The Financial Markets Authority
3. The Data Protection Authority
4. De Nederlandsche Bank N.V.
5. The House for Whistleblowers
6. The Health and Youth Care Inspectorate
7. The Dutch Healthcare Authority
8. The Authority for Nuclear Safety and Radiation Protection

Organizations and administrative bodies, or parts thereof, designated by general administrative order or ministerial regulation, that have tasks or powers in one of the areas mentioned in Article The Report.