PRIVACY POLICY IN CONNECTION WITH THE WHISTLEBLOWER SCHEME

Last updated: August 2025

The purpose of this policy is to describe Ross Energy’s processing of personal data in connection with reports made through the whistleblower scheme.

Ross Energy has entered into an agreement with an external screening partner, meaning that reports are received by this external partner, who assesses whether the report falls within the scope of the Whistleblower Act and ensures that the report is sufficiently clarified before it is shared with a qualified contact person within the company. For further details, see our Whistleblower Policy on the front page of the portal.

The company is the data controller for its processing of personal data in connection with a report and must therefore comply with the information obligations under Articles 13 and 14 of the General Data Protection Regulation (GDPR) with respect to the persons mentioned in a report (see section 2) and the persons submitting a report (see section 3).

We also refer to Ross Energy’s Whistleblower Policy for further information about who may make reports, what may be reported, and how reports are handled, etc.

Our external screening partner is Advodan Glostrup Copenhagen, which is an independent data controller for the processing of personal data carried out by Advodan. You can find their privacy policy here:

https://www.advodan.dk/da/advodan-glostrup-kobenhavn/advodan-glostrup-kobenhavn/

1. Data Controller and Contact Information

Ross Energy A/S

CVR No. 31177316

Store Kongensgade 81D, 2nd floor

1264 Copenhagen K

Contact person:

Klaus Petersen Roth

E-mail: klaus.roth@rossoffshore.dk

Phone: +45 27 73 49 10

2. Information Regarding Persons Mentioned in a Report

2.1 Purpose

The purpose of processing personal data about persons mentioned in a report is to handle and investigate reports received through the whistleblower scheme and to process these within the framework of the Whistleblower Act.

2.2 Categories of Personal Data

In connection with reports, the processing may involve ordinary personal data, special categories of personal data (sensitive personal data), and data relating to criminal offenses.

Ordinary personal data may include name and contact details (e-mail, telephone number) as well as other circumstances reported.

Information in a report is presumed to potentially include data on criminal offenses, legal violations, or other types of data considered confidential or sensitive, for example information regarding sexual matters.

2.3 Sources of the Data

Employees and, where applicable, other persons who have access to use the whistleblower scheme.

2.4 Legal Basis for Processing

The processing of personal data is based on the following legal grounds:

  • Ordinary personal data covered by Article 6 of the General Data Protection Regulation is processed on the basis of Section 22 of the Whistleblower Act
  • Sensitive personal data covered by Article 9 of the General Data Protection Regulation is processed on the basis of Section 22 of the Whistleblower Act
  • Data relating to criminal offenses is processed on the basis of Section 22 of the Whistleblower Act

2.5 Recipients

Personal data included in a report is shared with Advodan, which, as an external advisor, handles reports received via Ross Energy’s whistleblower scheme. After screening the reports, Advodan shares them with the Organization’s internal whistleblower unit.

In addition, data is shared with IT providers and, where relevant, public authorities if a report gives rise to such disclosure.

2.6 Retention

Personal data is stored for as long as relevant in order to fulfill the purposes described, including:

  • We store data for as long as an investigation is ongoing. Thereafter, the retention period depends on the conclusions of the investigation
  • If a report is deemed unfounded, the data is deleted within 6 months from the final assessment
  • If a report falls outside the whistleblower scheme but is of a nature that warrants handling through other channels within the Organization, the data is shared with management and processed in accordance with the Organization’s relevant policies and procedures
  • If a report is submitted to an authority, the data is stored at least for the duration of the case
  • If a report leads to disciplinary action against a person mentioned in the report, or if there is otherwise a legitimate reason to retain the data, it will be stored in that person’s personnel file and deleted in accordance with the Organization’s deletion policy for personnel data.

3. Information Regarding the Person Who Has Made a Report (the Whistleblower)

3.1 Purpose

The purpose of processing personal data about the person who has made a report is to handle and investigate reports received through the whistleblower scheme and to process these within the framework of the Whistleblower Act.

3.2 Categories of Personal Data

As a whistleblower, you have the option of making an anonymous report, and it is your own choice whether you wish to waive anonymity.

Provided the report is not made anonymously, the processing will involve ordinary personal data, which may include name, contact details (e-mail, telephone number), and the information contained in the report.

The processing is not expected to involve sensitive personal data or data concerning criminal offenses about the whistleblower, unless there is a suspicion that a deliberately false report has been made.

3.3 Sources of the Data

We receive information from the whistleblower, and if it is deemed necessary to investigate a possible suspicion of a deliberately false report, it may also be relevant to collect information from other persons, e.g. other employees, business partners, etc.

3.4 Legal Basis for Processing

The processing of personal data is based on the following legal grounds:

  • Ordinary personal data covered by Article 6 of the General Data Protection Regulation is processed on the basis of Section 22 of the Whistleblower Act
  • Sensitive personal data covered by Article 9 of the General Data Protection Regulation is processed on the basis of Section 22 of the Whistleblower Act
  • Data relating to criminal offenses is processed on the basis of Section 22 of the Whistleblower Act

3.5 Recipients

Personal data included in a report is shared with Advodan, which, as an external advisor, handles reports received via the Organization’s whistleblower scheme. After screening the reports, Advodan shares them with the Organization’s internal whistleblower unit.

In addition, data is shared with IT providers and, where relevant, public authorities if a report gives rise to such disclosure.

3.6 Retention

Personal data is stored for as long as relevant in order to fulfill the purposes described, including:

  • We store data for as long as an investigation is ongoing. Thereafter, the retention period depends on the conclusions of the investigation
  • If a report is deemed unfounded, the data is deleted within 6 months from the final assessment
  • If a report falls outside the whistleblower scheme but is of a nature that warrants handling through other channels within the Organization, the data is shared with management and processed in accordance with the Organization’s relevant policies and procedures
  • If a report is submitted to an authority, the data is stored at least for the duration of the case
  • If a report leads to disciplinary action against a person mentioned in the report, or if there is otherwise a legitimate reason to retain the data, it will be stored in that person’s personnel file and deleted in accordance with the Organization’s deletion policy for personnel data.

4. Information for Persons Covered by a Report

If you are the subject of a report through the whistleblower scheme, you will be notified as soon as possible after a preliminary investigation has taken place, where all relevant evidence has been secured and it is assessed that the duty of confidentiality no longer constitutes a basis for withholding information about the processing of personal data.

The information provided to you will include details about the allegations reported, information on who has had access to the report, and who has carried out the investigation.

As part of your general rights under the General Data Protection Regulation (GDPR), you have the right of access to the report. Provided we are aware of the identity of the reporter, you may also have the right to access this information, unless you are prevented from doing so by law.

If it is assessed that the report constitutes a deliberately false report, you may be granted access to the identity of the reporter, provided we know who the reporter is.

Furthermore, you have the right to request that information in the report which you believe is incorrect, misleading, incomplete, or outdated be rectified. If we cannot accommodate your request, your comments will instead be noted in connection with the report.

5. Rights

In connection with our processing of your personal data, you have the following rights:

  • Right of access to the personal data we process about you
  • Right to have incorrect data rectified
  • Right to have data deleted if it is no longer relevant
  • Right to object to unlawful processing
  • Right to receive the data you have provided yourself in a structured, commonly used, and machine-readable format (data portability)
  • Right to lodge a complaint with the Danish Data Protection Agency (www.datatilsynet.dk)

Please note that there may be conditions or limitations to the above rights. For example, you may not be able to access your personal data if there are overriding considerations relating to the protection of the privacy of other individuals.

You may exercise your rights by contacting the contact person indicated above.