TITAN ETHICSPOINT - PRIVACY NOTICE

You have accessed EthicsPoint, a voluntary, confidential web and phone-based system that allows you to report incidents of misconduct at Titan Cement International SA (“TCI”) and its group companies (“Titan Group”). EthicsPoint is hosted by GCS Compliance Services Europe Limited (“GCSEU”), an independent unaffiliated service provider registered in Ireland.

This privacy notice informs you in accordance with Regulation EU 2016/679 (“GDPR”) how your personal data are collected and processed when you report an incident through EthicsPoint either in writing at [www.ethicspoint.com] or by telephone. References to “we”, “us” and “our” in this notice mean “Titan Group”.

Reporting an incident may be done anonymously. However, we will not be in a position to investigate your report fully without sufficient information on the individual making the report and the individuals involved in the reported incident.

The controller of personal data processed in connection with an incident reported through the EthicsPoint is Titan Cement International SA, a legal entity established in Belgium and having its registered seat at Rue de la Loi 23, 7th floor, box 4, 1140 Brussels (company registration number 0699.936.657).

The volume and nature of personal data we process depend on the circumstances surrounding the reported incident. When you report an incident, we process personal data, which mainly encompass the reported facts, the name, position within Titan Group, job description, location, contact information relating to:

• a. the individual who reports the incident (if provided);
• b. the individuals implicated in the reported incident;
• c. the individuals with information relating to the reported incident; and
• d. the individuals responsible for investigating the reported incident.

The EthicsPoint is not intended to collect or process special categories of personal data (i.e., information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning sex life or sexual orientation) or criminal convictions and offences. To the extent such special categories of personal data are inextricably connected to the facts that have been reported through the EthicsPoint, we will seek to minimize any resulting collection and further processing of such personal data.

The personal data we process in connection with a reported incident are collected from:

• a. the reported facts;
• b. any clarifications you may be asked to provide;
• c. the evidence gathered in the course of the investigation of a reported incident; and
• d. any materials (e.g., reports, conclusion, memoranda) produced in the course of investigating a reported incident.

Depending on the nature of the work-related incident reported through the EthicsPoint, we base the processing of personal data:

• a. on the performance of the employment contract between the Titan Group entity involved and the individuals implicated in the report, when the reported incident concerns the performance of employment duties.
• b. on Titan Group’s legitimate interest to protect its people, facilities and assets by maintaining a culture of compliance, safety, integrity, and transparency at workplace, when the reported incident concerns conduct not directly related to the performance of employment duties.
• c. to comply with our legal obligations, when required to cooperate with the authorities in connection with unlawful conduct.

We process personal data that are absolutely necessary to detect, prevent, investigate and combat misconduct directed against Titan Group, its employees, stakeholders and their assets and to protect health, safety and security and to promote and ensure integrity within Titan Group. The processing of personal data through EthicsPoint does not involve any profiling or automated decision-making.

The recipients of personal data relating to a reported incident will be the Titan Group staff tasked to review and investigate the report (e.g., staff from the Human Resources, Finance, Internal Audit, or Legal departments) in the country where the reported incident took place and in Greece.

The recipients of personal data relating to a reported incident will be third parties outside Titan Group which shall act as personal data processors such as:

• a. personnel of GCSEU and its approved sub-processors who assist in the collection, preparation and management of reports (e.g., write reports made by telephone; prepare English translations of reports made in a language other than English or Greek);
• b. external case managers or legal advisors, if engaged to assist in relation to a report; and
• c. the police and other law enforcement or regulatory authorities, to the extent required by law.

Depending on where the reported incident took place and the need for investigation arises, recipients of personal data in connection with reports may be located inside and/or outside the EEA. Some countries outside the EEA do not offer the same degree of protection to personal data as the EEA countries do. Personal data may be transferred:

• a. to Titan Group staff located outside the EEA in which case personal data will be protected through approved Standard Contractual Clauses signed by all Titan Group companies in accordance with the GDPR.
• b. to GCSEU affiliates and approved sub-processors located outside the EEA in which case personal data will be protected through agreed contractual commitments with Titan to secure personal data.
• c. to GCSEU’s mother company, NAVEX Inc., in the U.S.A., in which case personal data will be protected through NAVEX’s certification and adherence to the Privacy Shield Principles (see the NAVEX Privacy Policy for additional information).

Taking into account the cost of implementation and the nature, scope, context and purposes of processing, Titan Group has implemented technical, physical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, and against all other forms of unlawful processing (including, but not limited to unnecessary collection) or further processing. The personal data and information you provide through a report will be stored in a secure database located on servers hosted and operated by GCSEU in Germany. Titan has entered into strict agreements, including a Data Protection Agreement, with GCSEU ensuring the confidentiality and security of personal data when processed by GSCEU and its sub-processors. Also the personal data and information involved in the materials that will be produced in the course of investigating a report will be stored in Titan Group’s physical records and in a secure database saved in a cloud-based server, hosted and administered by Microsoft within the EEA (Netherlands) for Titan Group. We have entered into a strict data protection agreement with Microsoft ensuring the confidentiality and security of personal data hosted in Microsoft’s data center.

We will keep all personal data associated with a report as long as necessary to investigate the reported incident. We will delete the personal data no later than 12 months from receipt of the final report on the reported incident unless local laws require different retention periods or we need to maintain the relevant records of the reported incident longer to pursue or defend our interests (e.g. in case of legal dispute between Titan Group and the persons involved in the reported incident or the investigation).

You have the following rights under the GDPR:

• a. Right of access: You have the right to obtain from the data processor confirmation as to whether your personal data is being processed, to request details of the processing activities, and obtain a copy of your personal data undergoing processing.
• b. Right to rectification: You have the right to request that your personal data be rectified if inaccurate or incomplete. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• c. Right to erasure (right to be forgotten): You have the right to ask the data processor to erase your personal data in certain circumstances.
• d. Right to restriction of processing: You have the right to request the restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by the data processor for certain purposes.
• e. Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit them to another data controller.
• f. Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by the data processor in certain circumstances.
• g. Right to object to automated decision-making: You have the right not to be subject to a decision based solely on automated processing including profiling.

The aforementioned rights might be limited under the applicable national data protection laws. If you wish to exercise any of your rights or have any question regarding the processing of personal data or the use of the EthicsPoint, you may contact the controller by email at dataprotection@titan-cement.com or by letter at 22A Halkidos Street, 11143 Athens (send your letter to the attention of the Corporate Privacy Officer).

If the controller fails to satisfy your request, you have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr) by email (contact@dpa.gr) or by telephone (+30-210 6475600).

You may also file a complaint with the personal data protection authority in the EU member state of your residence, if you reside in the EU, or in the EU member state where the personal data breach occurred. You may find the list of all EU personal data protection authorities at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.