Whistle-blower policy

Mar 11

1 Purpose and applicability

The purpose of this procedure is to describe requirements for how reported incidents, such as non-compliance with legal and regulatory requirements or violations of LayerOne’s Code of Conduct reported through LayerOne’s integrity channel, shall be handled. The procedure provides action steps, as well as criteria for escalation of reported issues.

This procedure shall apply to LayerOne AS and its subsidiaries (if any) not being part of a portfolio company (hereinafter referred to as “LayerOne”). To the extent LayerOne AS has owner interests in other companies, LayerOne board representatives shall work to implement similar procedures. However, incidents, allegations or complaints concerning companies controlled by LayerOne AS that are outside the defined scope of this procedure, will also be handled if reported through the integrity channel.

2 Procedure

2.1 Reporting

If you are aware or have suspicions concerning unprofessional conduct or breaches of LayerOne’s Code of Conduct, other governing documents or laws and regulations, this must be reported immediately. This can be reported through your manager, safety representative or through LayerOnes’ whistle-blower email:

whistleblower@layerone.com

Not to report is considered a breach of LayerOne’s Code of Conduct.

Feedback and information regarding alleged non-compliance with laws and regulations, LayerOne’s Code of Conduct, or other governing documents, may be brought to the company’s attention through any of the abovementioned contact points.

2.2 Responsibilities

LayerOne’s General Counsel, or whomever he/she delegates to, is responsible for handling any reported incidents, allegations or complaints unless any of the escalation criteria are met (see section 2.3).

All incidents, allegations or complaints reported shall receive a case number for identification and reference. Any instances that are reported directly to LayerOne AS shall be logged. The General Counsel shall establish and maintain a log, tracking the receipt, investigative steps, and resolution.

2.3 Escalation

Incidents involving any criteria listed below shall be escalated to, and managed by, the Chairman of the Board:

  • Any alleged non-compliance involving a member of LayerOne’s Board of Directors, the CEO, the CFO, or the General Counsel.

  • Any alleged fraud involving any other employees of LayerOne.

  • Any alleged non-compliance that may have a significant impact on the company’s brand, i.e.:

    • Non-compliance brought to public attention

    • Media coverage of any alleged non-compliance; or

    • Investigations initiated by prosecuting authority.

  • Any alleged violation that may require special precautions to either ensure confidentiality of the informant, is of a sensitive nature, or warrant special privacy considerations.

  • Any cases that require an investigation team to be assembled.

LayerOne’s General Counsel shall notify the Chairman of the Board as soon as possible of any reported incidents that meet the criteria listed above. If the LayerOne’s General Counsel is uncertain, the incident shall initially be treated as an incident for escalation.

2.4 Initial examination

LayerOne’s Whistleblower committee will be the General Counsel and the CPO. The Committee will validate the reported concern, analyze the concern and make an initial report to the CEO of LayerOne AS. The report will contain the Committee’s assessment, advice and suggested action steps, if applicable.

If the report is in the nature of an allegation that meets any of the escalation criteria under section 2.3, then the case will be handled by the Chairman of the Audit Committee. Any non-escalation cases will be handled by LayerOne’s General Counsel. The log register shall be updated by noting whether the incident is an escalation case or not.

Reported incidents concerning an operating entity with its own compliance function, shall preferably be forwarded to the operating entity for investigation – unless the nature of the reported concern indicates that the investigation should be performed at LayerOne AS level. Based on the updates and the final report, LayerOne’s General Counsel shall assess whether the case is properly investigated. If that is not the case, LayerOne’s General Counsel shall initiate separate investigation led by LayerOne AS.

If the issue is not assessed to be a compliance incident, LayerOne’s General Counsel shall close the case by noting how the case has been closed (see section 2.6).

2.5 Conducting an investigation

LayerOne’s General Counsel shall decide how the investigation of a non-escalated reported incident shall be conducted.

If deemed appropriate, an investigation team should be assembled, and the reported incident shall then be handled as an escalated incident. The investigation team shall be headed by a designated team leader, and a detailed mandate should be given. The investigative team must be staffed with personnel that have the capabilities to gather and analyse relevant information and present recommendations and conclusions.

LayerOne’s General Counsel shall ensure that the incident is assessed for the need of legal advice. This assessment shall continuously be revisited during the investigation. In addition, the need to inform other staff functions (e.g., the Communications department) should be assessed continuously during the investigation.

After conducting an investigation and depending on the outcome of such investigation, LayerOne’s General Counsel shall give a compliance recommendation to any appropriate addressee of the incident in order to ensure sufficient remediation. LayerOne’s General Counsel shall ensure that all reported incidents reach a conclusion.

If LayerOne’s General Counsel has reason to believe that the reported incident could indicate a criminal offense that normally would give cause to public prosecution, this should be reported to the Board of Directors who shall decide whether the incident is to be reported to the relevant police authorities. The log register shall be further updated by noting work performed, findings, recommendations, and any actions taken.

2.6 Closing and reporting

LayerOne’s General Counsel shall ensure that all relevant information and comments are noted in the log register and in the compliance report (if applicable). Any actions taken shall be coordinated with senior management.

LayerOne’s General Counsel shall annually perform an assessment of the company’s adherence to main principles and procedural steps, including the use, adequacy, and effectiveness of the integrity channels, and report the results of the assessment to the Board. The annual report to the Board shall include:

  • An overview of all logged incidents;

  • Any compliance reports; and

  • An update on the integrity channel procedure and any changes in the procedure, if applicable.

3 Personal data protection

Personal data shall be treated in accordance with the Norwegian Personal Data Act (PDA), the Norwegian law incorporating the European General Data Protection Regulation (GDPR), as well as the Working Environment Act, applicable local laws, and regulations and internal governing documents. The Chief Executive Officer is responsible for ensuring compliance with these regulations in LayerOne AS.

LayerOne’s General Counsel shall ensure that any person reporting an incident or being accused of a violation receives the information set out in GDPR article 13 and 14. This applies regardless of whether the information is collected from the person itself or from others, unless an exemption set out in the PDA applies. Whether an exemption applies, must be assessed on a case-by-case basis.

The persons reporting an incident shall receive the said information when filing a report through any of the established contact points/channels. Any person being accused shall receive the said information, hereunder particularly the suspicion and its basis, as soon as possible and at the latest within one month after the information was collected.

The General Counsel (“data processor”) shall commit to implement security measures in accordance with the Privacy Policy.

LayerOne’s General Counsel is also responsible for the establishment and implementation of internal routines for managing and responding to requests under the GDPR.

The log and all other records shall be handled in accordance with the Privacy Policy. However, information about the actions and decisions made as a result of the investigation, as well as the final report, shall be filed by LayerOne’s ordinary routines.

All personal data collected in course of the investigation, except the final report, should be deleted within 2 months after the investigation is finalized. In the final report, individuals shall only be mentioned by title or position. If the investigation is subject to potential subsequent matters (e.g., legal processes), only the personal data strictly necessary shall be kept until the subsequent matters are brought to a close. LayerOne’s General Counsel shall review the deletion of data routines to verify compliance no less than two months after the investigation is finalized.

All relevant individuals are required to maintain confidentiality about sensitive information and shall sign a declaration of confidentiality if considered necessary by LayerOne’s General Counsel.

4 Implementation and revision

This procedure shall be distributed in line with other company policies and procedures and made available on the company intranet.

This is version 1.0 of the procedure; last revised 05.10.2022.