Whistleblower Policy

WHISTLEBLOWER POLICY FOR EMPLOYEES

Last updated: August 2025

Background and Purpose

Ross Energy A/S (hereinafter the “Organization”) is subject to the Danish Act on the Protection of Whistleblowers (the “Whistleblower Act”) and therefore provides a whistleblower scheme for our employees.

A whistleblower scheme is an independent channel through which employees may report suspicions or actual knowledge of serious legal violations or other serious matters within the Organization.

The whistleblower scheme should be regarded as a supplement to the employee’s opportunity to approach management directly if they become aware of errors or unsatisfactory conditions they wish to report.

This whistleblower policy describes in more detail when employees may use the scheme, what can be reported, how a report is handled, and the rights of the persons involved.

Contents

1. Who can report via the whistleblower scheme?
2. Who can be reported on?
3. What matters can be reported?
4. How to make a report
5. Who receives reports?
6. Procedure upon receipt of a report
7. Investigation of a report
8. Duty of confidentiality and disclosure of information
9. Anonymity, protection against retaliation, and other rights of a whistleblower
10. Ongoing communication and deadlines
11. Confidentiality
12. Registration of reports
13. Rights of affected persons
14. External whistleblower scheme at the Danish Data Protection Agency
15. The whistleblower’s right to disclosure to the public

In addition to this information, the Organization has prepared a separate Privacy Policy specifically concerning the processing of personal data in connection with the whistleblower scheme. It can be found on the front page of the portal.

1. Who can report via the whistleblower scheme?

The whistleblower scheme applies to all employees of the Organization, including temporary staff and agency workers.

2. Who can be reported on?

The whistleblower scheme must be used to report information and matters concerning legal violations and serious misconduct committed by employees or other persons connected to the Organization. Such persons may include, for example, members of the board of directors, shareholders, members of the supervisory board, consultants, suppliers, contractors, auditors, etc.

3. What matters can be reported?

The Organization follows the scope of the Whistleblower Act, under which violations of EU law, serious violations of Danish law, as well as other serious matters may be reported, provided they concern persons connected to the Organization.

Reports may relate to suspicions or actual knowledge of violations in areas such as:

• Public procurement/tendering
• Money laundering and terrorist financing
• Protection of privacy and security of network and information systems
• Consumer protection
• Economic crimes such as embezzlement, theft, bribery, fraud, forgery
• Hacking, wiretapping, unauthorized recording of conversations, etc.
• Violations of bookkeeping, tax, or accounting laws
• Breach of confidentiality obligations
• Breach of statutory duty of action
• Unlawful use of force
• Serious and repeated violations of the Public Administration Act or the Access to Public Administration Files Act
• Serious and repeated breaches of administrative law principles such as impartiality, objectivity, misuse of power, proportionality
• Intentional misleading of citizens or partners
• Physical or psychological violence, sexual harassment, or severe harassment based on race, gender, language, financial status, origin, political or religious affiliation, etc.
• Breach of professional standards that may endanger health and safety
• Neglect of duty of care
• Serious or repeated breaches of internal workplace rules (e.g. on travel, gifts, accounting)
• Serious errors or irregularities linked to IT operations or IT system management

The list above is non-exhaustive.

The Act does not apply to trivial matters or minor breaches of internal rules such as those on sick leave, smoking, alcohol, dress code, personal use of office supplies, or minor breaches of documentation obligations.

However, systematic violations may be covered even if individually they appear minor. The scheme may not be used to report on the employee’s own employment relationship, including interpersonal conflicts or HR-related disputes, unless they constitute gross harassment or sexual harassment (which are covered), or unless they pose a real risk to health and safety.

Reports may concern matters that took place prior to the establishment of the Organization’s whistleblower scheme.

4. How to make a report

Employees can report in writing and anonymously via a digital platform administered by an external advisor (see sections 6–7).

Access to the whistleblower scheme is found on the front page of the portal.

Employees should access the link from a private computer/network outside the Organization to avoid digital traces.

Read more about the reporting procedure on the front page of the portal.

5. Who receives reports?

Reports are received by Advodan, which as an external advisor handles all reports submitted via the Organization’s whistleblower scheme. A lawyer from Advodan reviews and assesses the report before sharing it with the Organization’s internal whistleblower unit.

The internal whistleblower unit consists of:

• Sussie Meyer
• Jørgen L. Jørgensen

Before sharing a report, Advodan ensures it does not concern a member of the internal whistleblower unit. If it does, the report will instead be shared with another competent person in management.

This structure is chosen to ensure maximum security and trust for employees submitting reports.

6. Procedure upon receipt of a report

Once a report is received, Advodan assesses whether it falls within the scope of the Whistleblower Act. This may involve follow-up questions or requests for additional documentation.

If the report is outside the scope of the Act, it will be rejected, and the whistleblower will be directed to the appropriate internal channel instead.

7. Investigation of a report

If the report falls within the scope of the Whistleblower Act, the responsible lawyer at Advodan will forward the report to the Organization’s internal whistleblower unit together with a recommendation.

Once the internal whistleblower unit has received the report, it must carry out a thorough follow-up, which may include:

• Initiating an internal investigation to confirm or refute the accuracy of the information in the report
• Informing the Organization’s executive management or board of directors
• Reporting the matter to the police or the relevant supervisory authority
• Deciding on appropriate measures, e.g. employment-related or contractual actions
• Closing the case

The Organization’s internal whistleblower unit is responsible for ensuring that the report is thoroughly investigated and that the necessary measures are implemented, including maintaining ongoing dialogue with Advodan regarding progress and any assistance required in connection with the internal investigation.

Subsequently, the internal whistleblower unit must prepare a report for management, which will decide on the appropriate measures, whether this involves reporting to the authorities or other employment or contractual measures.

Finally, feedback must be provided to the whistleblower within the three-month deadline set out in the Whistleblower Act, see section 10 below.

The internal whistleblower unit may also choose to have Advodan conduct the investigation and provide recommendations on appropriate measures.

8. Duty of confidentiality and disclosure

Only Advodan and members of the internal whistleblower unit have access to the information contained in a report. Reports are subject to a special duty of confidentiality, and the content may therefore not be shared with others.

The special duty of confidentiality applies only to the information contained in a report. If additional information emerges in the course of a further investigation, such information is not covered by this special duty of confidentiality. For such information, the general rules on disclosure and access to documents apply, pursuant to the Access to Public Administration Files Act and the Public Administration Act.

If the whistleblower has waived anonymity, the special duty of confidentiality no longer applies to the information included in the report. Likewise, the Organization is entitled to share information from a report, including the whistleblower’s identity, if known, with, for example, the police. In such cases, the whistleblower must be informed.

9. Anonymity, protection against retaliation, and rights of whistleblowers

As a whistleblower, you have the option to remain anonymous throughout the entire process. The chosen IT solution allows for anonymous communication with the recipient of the reports.

However, a report may be of such a nature that it is difficult to fully investigate the matter unless the whistleblower chooses to come forward and thereby waives their right to remain anonymous. This decision rests solely with the whistleblower. If anonymity is waived, the Whistleblower Act is intended to protect the whistleblower against any form of retaliation, threats of retaliation, or attempts at retaliation that occur as a result of the whistleblower having submitted a report. Retaliation should be understood as any form of adverse treatment or consequence that occurs as a reaction to a report. This may include suspension, dismissal, demotion or failure to promote, reassignment of tasks, transfer, reduction of salary, disciplinary action, coercion, intimidation, harassment, discrimination, etc.

Being named in a report can have significant consequences, and therefore the whistleblower is required to act in good faith regarding the content of a report. A deliberately false report by a whistleblower, for example made for the purpose of harassment, may result in criminal liability for the whistleblower.

Conversely, a whistleblower cannot be held liable for disclosing confidential information if they had reasonable grounds to believe that the information disclosed in the form of a report was correct at the time of reporting, and that the information concerned serious legal violations or other serious matters covered by the law.

On that basis, the whistleblower will also not be held liable for having obtained access to the information reported, provided that the act of obtaining access is not in itself a criminal offence—for example, breaking and entering.

10. Ongoing communication and deadlines

Advodan’s lawyers handle communication with the whistleblower via the whistleblower system.

According to the Whistleblower Act, a whistleblower must receive an acknowledgment of receipt no later than 7 days after submitting a report.

In addition, the whistleblower must, as soon as possible and no later than 3 months from confirmation of receipt, receive feedback. This means that the whistleblower must, to the extent possible, be informed about which measures have been implemented or are planned, and why the specific follow-up has been chosen. In connection with feedback, there may be information that cannot be shared with the whistleblower, for example due to statutory confidentiality, data protection legislation, etc.

In addition to information about the chosen follow-up, the whistleblower should, as far as possible, also be given information about the course and outcome of the investigation, if this can be done in accordance with applicable law.

If, due to the circumstances of the case, it is not possible to provide final feedback within the 3-month deadline, the whistleblower must be informed accordingly, along with information about when further feedback can be expected.

As previously mentioned, a whistleblower may choose to come forward, in which case physical meetings with Advodan or the internal whistleblower unit may become relevant.

11. Confidentiality

The whistleblower scheme is designed and managed in such a way as to ensure confidentiality regarding the identity of the whistleblower and of any persons mentioned in a report.

The IT system used to operate the whistleblower scheme is subject to a number of strict security requirements, which ensure anonymity and confidentiality. This means that the person submitting a report through the scheme will remain anonymous if desired. It also means that the system does not log IP addresses, that metadata is removed from any uploaded files, and that all data transmission and storage are encrypted.

Advodan and the members of the internal whistleblower unit are subject to a duty of confidentiality, and access to all information related to a report is restricted.

12. Registration of reports

Reports received, including the documents forming part of a report, must be registered (systematically stored) to ensure access to the reports and to enable them, where relevant, to be used as evidence in any subsequent legal proceedings. Registration also provides assurance that any reports concerning the same matter are identified and, where relevant, may lead to further investigation. This registration takes place within the whistleblower system.

Reports are stored for as long as necessary and proportionate in order to comply with the requirements of the Whistleblower Act. The principles for retention are further described in the Organization’s Privacy Policy concerning the whistleblower scheme.

13. Rights of affected persons

The person or persons mentioned in a report have the right to have their identity protected during the handling of the case. In addition, the affected persons must have access to an effective defense, which is ensured, among other things, by registering a report in accordance with the requirements of the Whistleblower Act, thereby providing documentation of the matters reported.

Affected persons also have a number of rights in connection with the processing of their personal data. However, due to the Organization’s duty of confidentiality, there are restrictions regarding when affected persons must be informed about the processing of information, and whether they may invoke rights such as access, erasure, etc.

14. External whistleblower scheme – Danish Data Protection Agency

In accordance with the Whistleblower Act, the Organization is obliged to inform its employees about the following external whistleblower schemes, which may be used as an alternative to the Organization’s internal scheme:

The Danish Data Protection Agency (Datatilsynet) has established an independent and autonomous external whistleblower scheme, which allows anyone to report violations of EU law as well as violations falling within the scope of the European Parliament and Council Directive on the protection of persons who report breaches of Union law.

Further information on how to make a report to the Data Protection Agency’s whistleblower scheme can be found here: Whistleblower.dk

Employees of the Organization are free to choose whether to report through the Organization’s internal whistleblower scheme or an external scheme. However, the Organization encourages employees to use its internal whistleblower scheme in cases where the suspected violation can be effectively addressed internally and there is no risk of retaliation.

The possibility of using either the internal or an external whistleblower scheme does not limit employees’ ordinary freedom of expression.

15. Right to public disclosure

The Whistleblower Act and the protections it provides to whistleblowers also apply to a whistleblower’s public disclosure of information mentioned in a report.

However, this is subject to the condition that the whistleblower has either:

• Prior to the disclosure, made a report both to the Organization’s internal whistleblower scheme and to an external whistleblower scheme (e.g. the Danish Data Protection Agency, see above) without appropriate action subsequently being taken, or
• Reasonable grounds to believe that the reported violation constitutes an imminent or obvious danger to the public interest, or
• Reasonable grounds to believe that, by reporting to the external whistleblower scheme, there would be a risk of retaliation or that the matter would not be effectively addressed due to the specific circumstances of the case.