Internal abuse reporting system of United Consult Zrt.

In order to comply with Act XXV of 2023 on Complaints, Public Interest Reporting and Rules Relating to Reporting Abuse (the “Complaints”), UNITED CONSULT Privately Operating Company. (registered office: 1117 Budapest, Dombóvári út 26.; company registration number: 01-10-141235; the “United Consult”) operate an internal abuse reporting system to ensure that illegal or suspected unlawful acts or omissions, or other information about abuse, can be effectively reported be.

Based on the foregoing, United Consult accepts this policy (the “Policy”), which sets out in particular the scope of persons entitled to report, the channels and conditions of notification, the procedure for investigating reported cases and the guarantee provisions for the protection of whistleblowers.

United Consult encourages all persons entitled to do so, in particular its employees and contractual partners, to report information on any wrongful or suspected unlawful acts or omissions or other abuses in substantiated cases, in order for United Consult to become aware of and investigate cases.

The Regulations are effective from October 20, 2023.

Abuse Reporting Policy
Online reporting interface

How to make notifications

Information about an act or omission or other abuse that is unlawful or suspected to be unlawful may be reported in the internal abuse reporting system.

The notifier may make the notification in writing or orally (a”Announcement”), for which United Consult provides the following options:

• principally online reporting interface
• written notification: by sending a message to panasz@united-consult.hu
• personal announcement:by appointment, at the headquarters of United Consult (1117 Bp., Dombóvári út 26., or, if necessary, in the office of the Whistleblower Protection Officer.

In the case of written and personal notification, the Applicant acknowledges and accepts United Consult abuse reporting policyand the one belonging to it data management policy.

The notification can be made in Hungarian or English.

Who can make an Announcement?

In the abuse reporting system operated by United Consult, the following persons (a”Announcer') have the right to make a notification:

1. Employees, in particular, but not exclusively, employees of United Consult;
2. an Employee whose Employment Relationship with United Consult has been terminated;
3. a person wishing to enter into an Employment Relationship with United Consult for whom the procedure for establishing such a legal relationship has been initiated;
4. the individual entrepreneur, the sole proprietorship, if it has a contractual relationship with United Consult,
5. a person holding an ownership interest in United Consult and a person belonging to the administrative, executive or supervisory board of United Consult, including a non-executive member,
6. a contractor, subcontractor, supplier or person under their supervision and control who has initiated the procedure to establish a contractual relationship with United Consult, who is or has been in a contractual relationship,
7. trainee and volunteer working for United Consult,
8. a person wishing to enter into a legal relationship or contractual relationship with United Consult under points (4), (5) or (7) in respect of whom proceedings have been initiated to establish that relationship or contractual relationship, and
9. the person whose legal relationship or contractual relationship with United Consult has been terminated pursuant to points (4), (5) or (7).

When is there a place to make an announcement?

United Consult encourages good faith reporting of abuse of which the Whistleblower becomes aware. United Consult also encourages the reporting of situations where the Whistleblower has reason to believe that abuse will occur, not only when the abuse has already occurred. In addition, the Whistleblower encourages individuals to make a Report as soon as circumstances permit, ideally when abuse is preventable and before the situation escalates. Notwithstanding the foregoing, the Submission is voluntary and does not involve the granting of financial or other benefits to the Applicant.

Content of the Announcement

• The Notification shall, irrespective of the method, include at least the following: the first and last name of the Notifier, the contact details of the Notifier, the professional context of the discovery, the Person Concerned in the Notification, if known, a description of the fact likely to be abused as defined above, where applicable, and, where applicable, the evidence, date and signature supporting the Notification, if applicable can be used.
• Regardless of the notification channel chosen, United Consult will ask the Notifier to disclose as much information and detail as possible in order to properly evaluate the Submission.

If a person makes more than one Submission in the same subject, they will be merged. If, after the Notification, a new Notification is received in respect of the same subject matter, without providing additional information to require any other action, it shall be entered in the previous register.

Investigation of notifications

At the time of the initiation of the investigation, the person concerned shall be informed in detail of the notification, of his rights in relation to the protection of his personal data and of the rules governing the processing of his data.

Within 7 (seven) days of receipt, United Consult sends a confirmation to the notifier, which contains the general information on the rules of procedure and data processing.

Please note that a criminal or civil lawsuit can be initiated in the event of a manifestly bad faith report.

Have more questions?

If you have any questions or suggestions for improvement regarding the Abuse Reporting System, please contact panasz@united-consult.hu.

‍

Data management information

— data processing carried out in connection with the operation of United Consult's internal abuse reporting system —

Act XXV of 2023 on complaints, public interest reports and rules relating to the reporting of abuse (a”Complaint.”) in order to comply with, UNITED CONSULT Privately Operating Limited Company. (registered office: 1117 Budapest, Dombóvári út 26.; company registration number: 01-10-141235; a”United Consult') operate an internal abuse reporting system to ensure that illegal or suspected unlawful acts or omissions, or other information on abuse, can be effectively reported.

This privacy policy (a”Data Management Informationto ensure that you, as the data subject of the processing operation, are informed about the processing of your personal data in accordance with Regulation 2016/679 of the European Parliament and of the Council (a”GDPR”) and Act CXII of 2011 on the right to information self-determination and freedom of information (the “Infotv.”) in accordance with its provisions.

This Privacy Notice sets out common rules for United Consult's data processing activities. The characteristics of each specific processing activity, in particular the purpose of the processing, the scope of the personal data processed, the period of retention of the personal data and other characteristics of the operation are set out in Annex 1.

The content of this Privacy Notice may change from time to time, and we will endeavour to notify you of any changes in each case. Before checking the information about the data processing activities concerning you and exercising your information self-determination rights, please always consult the updated version of the Data Management Information, which is united-consult.hu/report-abuseavailable on the site.

1. PERSON OF THE CONTROLLER, DATA PROTECTION OFFICER AND CONTACT DETAILS

The controller of personal data is UNITED CONSULT Private Limited Company (registered office: 1117 Budapest, Dombóvári út 26.; company registration number: 01-10-141235, hereinafter referred to as:”Data Controller” or”United Consult”).

The Data Controller's designated data protection officer: United Consult (the”Data Protection Officer”). Email address of the Data Protection Officer: info@united-consult.hu

You may also contact the Controller or the Data Protection Officer directly with any questions you have or the exercise of your information self-determination rights.

2. INFORMATION SELF-DETERMINATION RIGHTS AND REMEDIES

In case of any comments, questions or complaints regarding the processing of your personal data, please contact the Data Controller directly, who will respond to your request without delay, but no later than one month from the receipt of your request. If the complexity of your request or the number of requests justifies this, the response period may be extended by another two months, of which you will be notified by the Data Controller within the initial deadline.

In relation to the processing of your personal data, you have different rights (so-called information self-determination rights), which are essentially determined by the legal basis of the data processing. Annex 1 sets out the rights you may have in relation to the respective legal basis for data processing. Please note that in relation to the exercise of a right, the GDPR may establish additional conditions, which may, where appropriate, exclude, restrict or specify additional conditions in relation to the exercise of that right. Therefore, before exercising your information self-determination rights, please carefully study this Privacy Notice, the relevant section of Annex No. 1 and the provisions of the GDPR regarding the detailed content of the right.

a) Withdrawal of consent(Art. 7 (3) GDPR)

You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal.

b) Access(Article 15 GDPR)

You have the right to receive feedback from the Data Controller as to whether your personal data is being processed and, if such processing is ongoing, you are entitled to have access to the personal data and certain information specified in Article 15 GDPR.

c) Corrigendum(Art. 16 GDPR)

You have the right to have inaccurate personal data concerning you corrected by the Controller at your request without undue delay. Taking into account the purpose of the data processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

d) Erasure (“the right to be forgotten”)(Article 17 GDPR)

You have the right to request the Controller to delete the personal data concerning you without undue delay, and the Controller is obliged to delete the personal data concerning you without undue delay if one of the reasons set out in Article 17 applies.

e) Restriction of data processing(Article 18 GDPR)

You have the right to request the Controller to restrict the processing if the reason set out in Article 18 is met.

f) Portability (Article 20 of the GDPR)

You have the right to receive your personal data provided to the Controller in a structured, widely used, machine-readable format, and you have the right to transmit such data to another controller without hindrance from the Controller if: the processing is in accordance with Article 6 (1) (a) or Article 9 (2) (a) is based on consent or is necessary for the conclusion of a contract pursuant to point (b) of Article 6 (1) and the processing is carried out in an automated manner. When exercising the right to data portability, you have the right to request the direct transfer of personal data between data controllers, if technically feasible.

g)Protest(Article 21 GDPR)

In the case of processing based on our legitimate interest: You have the right to object at any time to the processing of your personal data based on legitimate interests, including profiling based on that provision, on grounds relating to your own situation. In this case, the Controller may no longer process the personal data, unless the Controller proves that the Data Processing is justified by compelling legitimate reasons which override the interests, rights and freedoms of the data subject or which are related to the establishment, exercise or defence of legal claims.

In the case of processing for direct marketing purposes: If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for this purpose, including profiling, insofar as it is related to direct marketing. If you object to the processing of personal data for direct marketing purposes, the personal data will no longer be processed for this purpose.

3. LEGAL OPTIONS

In case of violation of your rights to the processing of personal data, you may have the following remedies:

a) You may contact the Controller directly or the Data Protection Officer using the contact details set out in point 1.

(b) You may lodge a complaint with the supervisory authority:

The supervisory authority in Hungary is National Authority for Data Protection and Freedom of Information(registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; postal address: 1530 Budapest, Pf.: 5.; e-mail: ugyfelszolgalat@naih.hu; telephone: +36 (1) 391-1400; web: www.naih.hu)

c) You may file a claim against the Data Controller or the data processor that has received the request.

You have the right to take legal action against the Controller or, in connection with data processing operations within the scope of the data processor's activities, if, in your opinion, the Data Controller or the processor acting on its behalf or on the basis of its instructions are processing your personal data unlawfully. You may, at your option, bring the action before the court having jurisdiction for your place of residence or residence. You can find out more about the jurisdiction and contact details of the court on the following website: www.birosag.hu.

4. VERSION DATA

Data Management Information was issued on July 24, 2023. This text is version 1 of the Privacy Policy.

Attachments:

1. Annex No — on data processing carried out in connection with the operation of the United Consult internal abuse reporting system