Key Policies, Codes and Principles

[2-24], [205-1], [205-2], [205-3], [206-1]

TAURON Group has adopted a zero-tolerance policy on corruption.

The basic document regulating the area of counteracting corruption at TAURON Capital Group is TAURON Group’s Anti-corruption Policy whose goal is to define uniform rules and standards of conduct that allow for the identification, countering and mitigation of the risk of an occurrence of corruption activities as well as other fraud (abuse).

The implementation and compliance with the Anti-corruption Policy is to ensure the compliance of the operations of TAURON Capital Group’s subsidiaries with the applicable law, the internal and intra-corporate regulations, as well as the ethical principles, thus ensuring proper protection of the interests, reputation and image of the subsidiaries and entire TAURON Capital Group, as well as the transparency of actions taken towards the external entities.

The Policy applies to all of the employees, members of the management board and supervisory authorities, as well as the proxies and the powers of attorney of the subsidiaries. TAURON Group also requires compliance with the standards of behavior set out in the Policy by the external entities.

The goal of the Policy is to counteract not only corruption activities, but also other abuse (fraud), which include, for example:

• theft or misappropriation of company assets (cash, materials, products, tools, equipment) or the property of external entities with which the employee has business relations,
• deliberate falsifying of the company documents or entering false information and data into their content,
• managing the company’s documentation in an unreliable (inaccurate) or untruthful manner, in particular destroying, deleting, concealing, altering or falsifying documents regarding the company’s operations,
• deliberate disclosing of information inconsistent with the facts in the financial statements,
• using the company’s resources for private purposes.

The areas susceptible to the risk of corruption or other fraud related to the operations of TAURON Capital Group include in particular:

• purchasing (procurement) proceedings,
• cooperation with the external entities,
• implementation of the investment processes,
• transactions with related entities,
• expenses related to business trips or entertainment,
• representation and advertising expenses, including invitations and gifts,
• expenditures on the marketing and consulting services,
• cash transactions
• donations and sponsorship agreements.

The following ways of implementing the Anti-corruption Policy by TAURON Capital Group are defined:

1. The Group exercises due diligence to ensure that contacts with the external entities are open and transparent, so as to exclude the possibility of corruption and other abuse (fraud).
2. The Group undertakes to take appropriate (in particular lawful), adequate and proportionate actions in relation to the occurrences of corruption activities and other abuse (fraud). In particular, the company shall notify law enforcement authorities of any potential violations of the legal regulations in the event of a justified suspicion of such violations.
3. Employees and external entities are encouraged to provide information on the violations of the Anti- corruption Policy as well as other irregular behaviors.
4. Anti-corruption clauses are introduced in contracts with the external entities.
5. Raising of the employees’ awareness with respect to the possibility of identifying corrupt activities and other abuse (fraud) is ensured through information activities, training, initiatives related to the elimination of corruption events, enabling proper understanding of the Policy and the application of its principles by employees in their daily work.
6. Cooperation with the external entities in order to eliminate corruption activities and other abuse (fraud).

Due diligence procedures

The activities of the Compliance Officer and the Compliance Coordinators at TAURON Capital Group’s subsidiaries are based on the guidelines presented in the Standards recommended for the compliance management system with respect to counteracting corruption and the whistleblowers protection system at the companies listed on the markets organized by the Warsaw Stock Exchange (Giełda Papierów Wartościowych w Warszawie S.A.), adopted on October 8, 2018.

As part of the due diligence procedures, among other things, the ongoing monitoring of compliance risks is conducted, as part of which data is collected on the cases of corruption and other fraud at TAURON Group’s Subsidiaries.

The due diligence procedures also include the mandatory training for all of TAURON Group’s employees with access to a computer work station named „TAURON Group’s Compliance Management System”. This training presents issues related to, among others, counteracting corruption, conflict of interest prevention, rules for accepting and giving gifts.

E-learning training on TAURON Group’s Compliance Management System was provided in 2022 to 75% of TAURON Group’s employees with access to the training platform

Actions taken and results achieved

Among the activities undertaken as part of TAURON Group’s Anti-corruption Policy, the investigating and probing (fact finding) of corruption activities and other abuse (fraud) are of key importance.

No cases of corruption had been identified in 2022.

Each employee is obliged to study the provisions of TAURON Group’s Anti-corruption Policy, to strictly comply with its content and to sign an appropriate statement on having familiarized himself/herself with the regulation. Newly hired employees are also familiarized with the Anti-corruption Policy.

In addition, TAURON Polska Energia provides monitoring of the procedures as well as the internal and intra- corporate regulations in force at TAURON Capital Group, also with a view to make improvements and develop a system of counteracting corruption and other abuse (fraud).

A brochure outlining the most important provisions of TAURON Group’s Anti-Corruption Policy is posted on TAURON’s website.

An educational and informational campaign entitled „Compliance Chasing Corruption” was carried out at TAURON Group in 2022, as part of which a podcast was recorded with the participation of the Compliance Officer and the Compliance Coordinator at the TAURON Nowe Technologie subsidiary.

As part of TAURON Group’s Compliance Day 2022, a training panel was held to discuss the rules for accepting and giving gifts at TAURON Group.

[2-24]

The Corporate Purchasing Policy implements the priorities set out in TAURON Group’s Strategy regarding ensuring financial stability. TAURON Group’s Strategy formulates expectations for the purchasing area, as a continuation of actions taken to improve the efficiency of the purchasing processes and increase the maturity level of the purchasing processes at TAURON Group.

TAURON Group’s Corporate Purchasing Policy is to facilitate the implementation of the strategic goals of the Purchasing Area, in particular with respect to:

• centralizing TAURON Group’s most important purchasing processes,
• standardizing the purchasing procedures and processes at TAURON Group,
• increasing the level of digitalization of the purchasing processes at TAURON Group.

Due diligence procedures and internal regulations

Due diligence procedures with respect to the Corporate Purchasing Policy include all actions aimed at the continuous improvement of the purchasing processes, both with regard to acquiring goods as well as the operational purchase order processing. To be able to more fully achieve the above objective, the Purchase Order (Contract) Award Regulations and Purchasing Strategy document, whose sample constitutes an appendix to the Corporate Purchasing Policy, have been implemented.

Purchase Order (Contract) Award Regulations

A single common purchasing regulations have been in place at TAURON Group for a number of years, along with the tender documentation templates. The regulations define the principles of planning, preparation and the manner of proceeding and awarding the Purchase Orders (Contracts), and ensure transparency of the purchasing process at TAURON Group. The events of 2022, i.e. the war in Ukraine, forced the introduction of an additional verification (vetting) of the contractors with whom cooperation is undertaken based on the so-called sanction regulations. The changing market, business and legal environment requires a flexible approach to the purchasing regulations, resulting in the subsequent updates thereof. The purchasing area is cooperating closely with the organizational units responsible for compliance, audit and internal control, personal data protection and taxes in order to improve the purchasing process.

The principle of equal treatment of contractors associated with the public procurement law does not allow for the exclusions of contractor from the supply chain due to the footprint generated by their operations and the negative impact on climate. Engagement with suppliers to improve environmental performance in the current state of the law is done on a voluntary basis on the part of suppliers, who can give a non-binding consent to disclose information on the impact of their operation on the environment and climate.

Purchasing Strategies

A Purchasing Strategy is developed for selected purchasing categories, which presents an action plan aimed at optimizing purchasing and reducing the risk of a given purchase, as well as gaining access to solutions and innovations implemented by the suppliers. It also enables the creation of a Knowledge Base in the Purchasing Organization Support System (System Wsparcia Organizacji Zakupów – SWOZ) for the contractor market. Due to the changing market conditions and deteriorating availability of products or services, a decision was made in some areas to change some purchasing categories or decentralize them, in order to increase competitiveness by allowing smaller contractors to perform contracts (fulfill purchase orders).

Actions taken and results achieved

Implementation of the goals established in the Corporate Purchasing Policy resulted in the simplification and standardization of the purchasing process. The key metric of the efficiency of the purchasing process is the increase in the number of bids submitted in the tender proceedings, the so-called increase in the competitiveness of the proceedings, which translates into cost reduction, reduction of the supply chain risks and gaining access to the best solutions available on the market. The higher competitiveness of the proceedings is also projecting a positive image of the ordering (contracting) party on the market, as a transparent and professional entity.

[2-24]

An important initiative implemented at TAURON Capital Group as part of a responsible supply chain is the inclusion of the sustainability criteria into the purchasing process management standard. TAURON Group promotes the idea of corporate social responsibility among its suppliers. It expects cooperation with the contractors (counterparties) who respect human rights and act in accordance with the legal regulations, ensure safe and dignified working conditions and apply not only the highest ethical standards, but also take care of the environment and the climate.

The criteria regarding corporate social responsibility with respect to TAURON Group’s contractors (counterparties) are defined and collected in a single document, i.e. the Code of Conduct for Contractors (Counterparties) of TAURON Group’s Subsidiaries. The Code is an applicable standard in the Capital Group, promoting responsibility among stakeholders and encouraging the implementation of responsible practices among suppliers (including compliance with environmental standards included in legally binding agreements with suppliers).

Due diligence procedures and internal regulations

The goal of the Code of Conduct for Contractors (Counterparties) of TAURON Group’s Subsidiaries is to define uniform standards and transparent rules of conduct as part of the business operations conducted by the subsidiaries, in particular with respect to the relationships with the contractors (counterparties). The Code also includes the rules related to the workforce (among others, work health and safety, discrimination, personnel policy, forced labor, hiring children and minors), the natural environment (environment protection, responsible resource management, taking care of the climate), interactions with the stakeholders (among others, fair competition, combating fraud (abuse), security and protection of information, investor relations).

The Code is applied in relations with the contractors (counterparties) of TAURON Group’s subsidiaries and is applicable to all employees, members of the management board and supervisory bodies of the subsidiaries, as well as proxies and powers of attorney.

The Code is linked with TAURON Capital Group’s other documents:

• TAURON Group’s Corporate Social Responsibility Code of Conduct,
• TAURON Group’s Policy of Respect for Human Rights,
• TAURON Group’s Anti-Corruption Policy,
• The procedure for assessing (vetting) the credibility of TAURON Polska Energia S.A.’s contractors (counterparties),
• TAURON Group’s rules for organizing ventures in cooperation with external entities,
• TAURON Group’s Purchase Order (Contract) Award Regulations.

Actions taken and results achieved

A contractor (counterparty) that takes part in the proceedings organized by TAURON Capital Group’s subsidiaries is obliged to submit a statement confirming that it has studied TAURON Group’s Corporate Social Responsibility Code of Conduct and to comply with its provisions.

[2-24]

TAURON Group’s Compliance Policy defines the basic principles of operation of TAURON Group’s Compliance Management System, in particular: the objective, structure, tools, stages and areas of compliance management.

The Compliance Policy applies to all employees, members of the management board and supervisory bodies of the subsidiaries, as well as the proxies and powers of attorney of TAURON Group.

The objective of the Compliance Management System is to create such factual situation at TAURON Group in which compliance risks are kept to a minimum.

The Compliance Management System’s task is to reduce the risk of sanctions, financial losses as well as the loss of reputation, while contributing to building and consolidating the positive image of TAURON Group. This system was created taking into account the needs and specifics of the entire organization and covers the activities of all organizational units of TAURON Group’s subsidiaries.

TAURON Group’s Compliance Management System is run by:

• Compliance Officer with the support of the Compliance Team at TAURON Polska Energia,
• Compliance Coordinators at TAURON Capital Group’s subsidiaries,
• Ethics Committee.

The Compliance Officer is responsible for:

• supervision of TAURON Group’s compliance management related activities,
• compliance risk management,
• ensuring compliance of TAURON Group’s activities with applicable legal regulations, intra-corporate and internal regulations as well as ethical standards,
• overseeing and conducting of fact finding investigations (including receiving of reports and taking follow-up activities) related to the breaches of legal regulations, internal and intra-corporate regulations as well as ethical standards,
• advising and issuing guidelines and communications related to compliance,
• overseeing of the conducting of activities aimed at counteracting and mitigating the risks of a conflict of interest, corruption or other irregularities,
• overseeing of TAURON Group’s activities aimed at counteracting money laundering (anti-money laundering activities) and financing of terrorism,
• coordinating of TAURON Group’s activities related to raising of the awareness with respect to compliance,
• reporting on compliance management at TAURON Group,
• co-designing of the internal control system.

TAURON Capital Group’s due diligence can be demonstrated based on, among others:

• adoption and application of TAURON Group’s Corporate Social Responsibility Code of Conduct,
• adoption and application of TAURON Group’s Compliance Policy,
• adoption and application of TAURON Group’s Anti-Corruption Policy,
• adoption and application of TAURON Group’s Human Respect Policy
• conducting of the Compliance training as well as information and education campaigns related to Compliance,
• implementing anti-corruption clauses to be included in the contracts,
• adoption and application of the TAURON Group’s Rules for accepting and giving gifts,
• regulating and implementing TAURON Group’s Fraud (Abuse) Reporting System (Whistleblower System) and conducting the fact finding investigations (probes),
• implementation and application of TAURON Group’s Contractors (Counterparties) Credibility Assessment (Vetting) Procedure,
• implementation and application of the Principles (Code) of Conduct for controls (audits) at TAURON Group’s subsidiaries.
• implementation and application of TAURON Group’s Procedure for counteracting money laundering (anti-money laundering) and financing of terrorism.

The Compliance Officer, together with the Compliance Team, conducts cyclical monitoring of the compliance risks that may have a negative impact on TAURON Group’s operations. As part of the monthly risk monitoring, the data on fraud, unethical behavior, non-compliance with laws and corruption is aggregated.

In the event of risk materialization, a Risk Response Plan is triggered, according to which the acceptable state for the limit of that risk is to be reached. Based on the aggregated data, a report is prepared quarterly for the Audit Committee of the Supervisory Board of TAURON Polska Energia S.A. (and every six months the reports for the Supervisory Board of TAURON Polska Energia S.A. are prepared). The above mentioned reports and statements contain the information on the identified risks.

After the end of every calendar year, the Compliance Officer prepares a TAURON Group Compliance Report containing information on the functioning of the Compliance Management System at TAURON Group, including, among other things, an assessment of the adequacy and effectiveness of the system, along with a description of the significant issues related to the functioning of the system. The report also includes the information on the identified compliance risks.

Compliance Training
Due diligence also includes training and information activities at TAURON Group.

The Compliance Officer, together with the Compliance Team, conducted training sessions on compliance management at TAURON Group for the newly hired TAURON Polska Energia S.A. employees, as well as the training courses targeted at selected substantive areas of TAURON Group’s operations in 2022.

On 19/10/2022, another Compliance Day was held, which included the following trainings:

• ”The latest compliance trends and challenges for the management teams related thereto”,
• ”All faces of the conflict of interest”, i.e. what falls under the conflict of interest category at TAURON Group?,
• ”Verification (vetting) of counterparties on sanctions lists”, i.e. a pill of knowledge on the application of the sanctions regulations at TAURON Group,
• ”Can I accept it or not?” – i.e. TAURON Group’s rules for accepting and giving gifts,
• How is the implementation of the Act on whistleblowers progressing at TAURON Group?,
• Shouldn’t a whistleblower be afraid? – a few comments on the Act on the protection of persons reporting law violations (Whistleblower Protection Act),
• Draft Due Diligence Directive, or what obligations are lurking for entrepreneurs?

The event was attended by more than 650 employees from various TAURON Group’s subsidiaries.

Compliance Awards 2021

In 2022, the award in the category of Whistleblowing Project of the Year during the 2021 Compliance Awards was given to the report entitled „Whistleblowing – good practices for ethical business,” a project that TAURON Polska Energia’s Compliance Area was also involved in.

The project included:

• conducting a series of dialogue sessions on the subject of whistleblowers protection, with the business, administration and NGOs representatives invited, among others, to take part in those sessions,
• a market survey aimed at verifying the condition of the whistleblowing in Poland for the year of the directive’s transposition.

The author of the report is the law firm Domański Zakrzewski Palinka sp.k., with the support of the United Nations Global Compact Network Poland and with the participation of the representatives of the business community (including TAURON Group), public, social organizations and experts with respect to whistleblowing, labor law, personal data protection and compliance.

[2-15], [2-24]

TAURON Group’s Corporate Social Responsibility Code of Conduct says: „We avoid situations that could potentially cause a conflict of interest. A conflict of interest in case of an employee of TAURON Group takes place when, acting in his/her own interest or in the interest of any entity, the employee at the same time carries out activities against the interests of TAURON Group. We openly communicate cases that constitute or may constitute a source of a conflict of interest, and we take actions aimed at minimizing the risk of a conflict of interest emerging.”

TAURON Group is running its operations in a transparent manner, respecting the provisions of the law, the provisions of the internal and intra-corporate regulations as well as the highest ethical standards, which translates into actions aimed at eliminating situations that may lead to an emergence of a conflict of interest.

The Principles (Rules) of Counteracting a Conflict of Interest are also in force at TAURON Group. Their purpose is to: identify circumstances that constitute a conflict of interest or may cause it, define the rules for preventing, identifying and managing a conflict of interest, and increasing the level of awareness among employees in terms of identifying, avoiding and disclosing a conflict of interest.
An employee is obliged to immediately report to his/her immediate superior and TAURON’s Compliance Officer, and, at the Subsidiaries other than TAURON, to the Compliance Coordinator, the possibility of a potential or actual conflict of interest occurring.

In addition, in accordance with TAURON Polska Energia’s Labor Regulations in force, one of the basic duties of an employee is to inform his/her superior if he/she undertakes an additional employment, business activities or performs assignments whose scope may lead to a conflict of interest between the employer and the employee.

If a potential conflict of interest is reported, the Compliance Officer at TAURON Polska Energia would issue an opinion in this regard. In order to document the circumstances or events that may result in or cause a conflict of interest at the subsidiaries, conflict of interest registers are maintained. A practical manifestation of counteracting conflicts of interest at TAURON Group is also the submission by the members of tender committees and experts, for the purposes of the given purchasing procedure, of the statements that they are not in a legal or factual relationship with the contractor that could raise reasonable doubts with respect to their impartiality.

With regard to the Members of the Management Board of TAURON Polska Energia an obligation to avoid undertaking professional or non-professional activities that could lead to a conflict of interest has been introduced.

Conflicts of interest are not disclosed to stakeholders.

Actions taken and results achieved

The Compliance Officer at TAURON Polska Energia, and at TAURON Group’s other subsidiaries, the Compliance Coordinator, in accordance with the Company’s policies, conducts outreach and training activities aimed at raising the employees’ awareness with respect to preventing, reporting and managing a conflict of interest.

As part of Compliance Day 2022, a training course on counteracting a conflict of interest at TAURON Group was conducted for the interested employees of TAURON Group.

[2-24], [2-27], [418-1]

With respect to personal data protection, TAURON Capital Group has a Personal Data Protection Policy for TAURON Group’s entities in place, as well as internal processes regarding this matter, including, among others, processes dealing with risk analysis, counterparty assessment, disclosures and advisory services or audit implementation. These activities comply with the provisions of Regulation (UE) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in relation to the processing of personal data and on the free flow of such data and the repealing of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR.

The documentation indicated sets out the principles and obligations of the Administrator (Controller) with respect to ensuring security and confidentiality of personal data, as well as regarding access to the information on its processing for the persons (data subjects) that the given personal data is applicable to. In the event that, despite the security measures applied, a breach of personal data protection (e.g. data leakage or loss) has occurred, the Data Protection Controllers (Administrators) at TAURON Group, using the specially prepared forms, inform persons (data subjects), whose personal data is processed by TAURON, of such an occurrence, doing it in a manner in accordance with the legal regulations.

Due diligence procedures provided in the described Policy include in particular:

1. General principles for the processing of personal data specified in art. 5 of GDPR.
2. Rules ensuring that data is processed in accordance with the law – art. 6-11 of GDPR.
3. Obligations of the Data Controllers (Administrators) to comply with the rights of persons whose data is processed – art. 12-23 of GDPR.
4. Regulations on the fulfillment of the general obligations with respect to the data processing entrusted with the Data Controller (Administrator) and the Processing Entity (among others, templates of the agreement for entrusting the processing of personal data to an entity other than TAURON Group’s Subsidiaries, personal data sharing agreements or personal data co-management agreements were updated) – art. 24-31 of GDPR.
5. The necessary data processing security measures, taking into account the nature of the scope, context and purposes of data processing – Art. 32- 36 of GDPR.
6. Control mechanisms over data processing in the form of monitoring the compliance with the regulations and the accepted processing procedures by the Data Protection Officer – art. 27-43.
7. Requirements with respect to the transfer of data to third countries and international institutions – Art. 44 – 49 of GDPR.

In 2022, TAURON Group updated the adopted measures stemming from the GDPR due to the need to:

• ensure the protection of personal data irrespective of the place of its processing,
• carry out risk analyses in order to assess the effects of personal data protection,
• ensure mandatory notification of protection breaches,
• ensure data protection by default and personal data protection by design,
• implement the rights of the customers and contractors (counterparties) whose data is processed by TAURON,
• update the content of the information clauses and consents regarding the processing of personal data,
• adapt the IT systems to the new security requirements for personal data processing.

In the Policy, in accordance with art. 24 and art. 32 of the GDPR, in the performance of the above mentioned compliance obligations, measures that take into account the state of technical knowledge, costs, nature, scope, context, purposes of processing, as well as the risks for persons to whom data is related have been implemented.

The following principles are enforced at TAURON Capital Group:

• legality (lawfulness) of personal data processing: personal data is processed in accordance with the generally applicable law, based on an established legal basis,
• reliability: personal data is processed in a fair (reliable), adequate, relevant and required manner for the purposes of its processing,
• purposefulness: personal data is processed solely for specific purposes,
• accountability: TAURON Group effectively documents the handling of the given persons’ data in order to be fully accountable and prove the fulfillment of the legal obligations regarding its processing,
• minimization: TAURON Group minimizes the processing of personal data, processing it only for the necessary purposes, arising under the provisions of law,
• correctness: TAURON Group takes care of the correctness of data with the utmost diligence, verifying it and enabling its owners (entities subject to GDPR rights), for example, to update the data,
• security: particular emphasis is placed on the security of personal data processing using IT systems, implementing tools and procedures aimed at increasing the security of data processing. Procedures optimizing the security of personal data are implemented and updated, and TAURON Group’s personnel is trained in this regard.

Actions taken and results achieved

TAURON Capital Group undertook further intensive activities in 2022 to demonstrate its care for the security of the personal data processed, by:

1. Ensuring the update of the internal regulations with respect to personal data protection (updates to the Policy were prepared, internal processes of the Data Protection Officer were updated).
2. Keeping the inventory of equipment and software used for processing the information, including their type and configuration, up to date.
3. Undertaking actions to ensure that the persons involved in the information processing process hold the applicable authorizations and participate in this process to an extent adequate to the tasks and duties carried out thereby to ensure information security.
4. Promptly changing the authorizations in the event of a change in the tasks of the persons referred to in item 4 (review of user rights).
5. Providing training for the people involved in the information processing process, with particular regard to such issues as:
   1. requirements for the proper processing of personal data and the reduction of the security risks of its processing,
   2. consequences of violating information security rules, including the legal liability,
   3. use of measures to ensure information security, including devices and software that minimize the risk of human errors.
6. Ensuring the protection of the information processed against theft, unauthorized access, damage or interference thereof, by:
   1. monitoring of access to the information (review of user rights),
   2. activities aimed at detecting unauthorized information processing activities,
   3. providing measures to prevent unauthorized access at the level of operating systems, network services and applications.
7. Establishment of and compliance with the basic principles guaranteeing security of work in case of mobile processing and remote work.
8. Securing the personal data in a manner that prevents its disclosure, modifications, deletion or destruction by an unauthorized person.
9. Including, in the support services contracts signed with third parties, of the provisions guaranteeing an adequate level of information security by meeting certain requirements to ensure the confidentiality of the entrusted personal data (personal data processing entrustment agreement).
10. Setting the rules for dealing with the information that minimize the risk of a theft of information and the information processing means, including mobile devices.
11. Implementation of an adequate level of security in the ICT systems, involving, in particular:
    1. taking care of software updates,
    2. minimizing the risk of information loss as a result of a failure,
    3. protection against errors, loss, unauthorized modification,
    4. using cryptographic mechanisms by the users in a manner adequate to the threats or the requirements of a legal provision,
    5. ensuring the security of system files,
    6. promptly taking actions after noticing the undisclosed vulnerabilities of the IT systems to the possibility of security breaches.
12. Preparing for an implementation of a system for promptly reporting of incidents, enabling the identification and analysis of breaches of personal data protection security, so that corrective action can be taken quickly.

There was no justified complaint regarding a breach of customer privacy received from the regulatory authorities in 2022, while the total number of identified leaks, thefts or incidents of customer data loss increased by 32 complaints in 2022 to 706 complaints, i.e. a 4.7% increase in the number of complaints compared to the same period in 2021.

Increase in the contracted agreements’ performance operations in 2022 by TAURON Obsługa Klienta Sp. z o.o, at the strategic supply and distribution companies, i.e. TAURON Sprzedaż Sp. z o. o, TAURON GZE Sp. o.o. and TAURON Dystrybucja by approx. 2 million (to 12 million) compared to 2021 generated a strong increase in the number of legitimate customer privacy violation complaints received from third parties and acknowledged by TAURON, which rose by 76, compared to 2021. (2021/2022 percentage change of more than 3800%), as a result of errors on personal data processing operations (human error), errors of TAURON’s postal operator, i.e. the Polish Post (delivery of a package to a TAURON customer to the wrong address), and the currency of TAURON customers’ personal data in its processing operations (a failure to update TAURON customers’ contact details).

Actions aimed at correcting (reducing) an increase in the number of legitimate complaints related to the violations of customer privacy received from external entities and acknowledged by TAURON, will be a priority for TAURON’s personal data protection area in 2023.

Material complaints regarding breaches of customer privacy and loss of customer data at TAURON Group in 2022 is presented in Table below.

TAURON Sprzedaż, TAURON GZE Sp. o.o., TAURON Dystrybucja subsidiaries are the centers for the arising of material complaints regarding breaches of customer privacy and loss of customer data (data leakage) in 2022.

[2-16], [2-24]

TAURON Group’s Security (Safety) Management System Policy was implemented in July 2018 and it applies to all of TAURON Group’s subsidiaries. The update of the provisions of the document was published in Q1 2022.

The Security (Safety) Policy and the specific regulations related thereto form a unified, consistent and comprehensive Security (Safety) Management System within TAURON Group that:

• provides an optimal level of security (safety), adequate to the existing threats,
• takes into account the identified risks,
• provides a structured response to threats that minimize the effects or eliminate the risk of the occurrence thereof,
• ensures that the actions taken are systemic in nature, aimed at seeking to achieve the planned security (safety) goals.

The Policy defines TAURON Group’s approach to ensuring security (safety) as part of its business operations and describes the functioning of the Security Management System, which is maintained by TAURON Group.

The Policy defines standards, rules of conduct and organizational structures with respect to security (safety) within TAURON Group, including the assignments of competences and responsibilities. As part of the above mentioned Policy update, among other things, new rules for conducting security audits and the security requirements for third parties were implemented.

Security (safety) management has been divided into substantive areas, including among others:

1. Safety Management System,
2. Information security,
3. IT/OT systems security,
4. Physical security,
5. Security incidents.

Within each area, detailed internal and intra-corporate regulations are developed.

The Security Management System is based on international standards with respect to information security management, such as ISO 27000 and NIST standards.

Due diligence procedures and internal regulations

As part of the Security (Safety) Management System, a number of intra-corporate regulations have been established, regulating in detail specific security (safety) aspects in the given area of operations:

1. TAURON Group’s Security (Safety) Management System Policy – general document,
2. TAURON Group’s Information Classification and Handling Policy,
3. TAURON Group’s Physical Security Policy, along with a set of detailed requirements for physical security,
4. TAURON Group’s Principles of IT System Management,
5. A comprehensive set of security standards for the IT/OT area,
6. TAURON Group’s Incident Management Principles.
7. TAURON Group’s Principles of cooperation of the Task Teams in the event of an announcement of the CRP alert degrees in the event of a terrorist threat related to the ICT systems.
8. TAURON Group’s Requirements for Designers and Contractors of Technical Security Systems and Fire Alarm Systems at TAURON Group.
9. TAURON Group’s Guidelines for the use of Unmanned Aerial Vehicles.
10. TAURON Group’s Principles of reuse and safe destruction of information carriers.

For the purpose of clarifying in detail the aspects of security (safety) management, the subsidiaries may develop internal regulations, applying the principle that these regulations may not lower the level of security (safety) sanctioned by the intra-corporate regulations.

As part of the Security (Safety) Management System, there is a set of processes responsible for various aspects of security (safety) management that are implemented accordingly throughout TAURON Group.

Communication of the critical incidents

TAURON Group defines a critical incident as an incident that causes or may cause a serious deterioration of the quality or an interruption of the continuity of the provision of a key service (within the meaning of the Act of July 5, 2018, on the National Cyber Security System). In the event of an occurrence of such an incident, the information on the incident is communicated to the supervisory bodies and to the Management Board in accordance with TAURON Group’s Security Incident Management Principles in force.

Actions taken and results achieved

Due to the fact that the security (safety) of TAURON Group comes largely down to the attitudes and behavior of employees and colleagues, a number of educational activities are carried out to raise awareness and competences with respect to the broadly understood security (safety):

• mandatory e-learning training for all employees,
• mandatory introductory training in basic security (safety) aspects for the newly hired employees,
• training on the classifying and handling of Information for TAURON Group’s employees, including on the use of the dedicated technical solutions,
• substantive (subject matter) training for the employees responsible for various aspects of security (information security, IT/OT security, security audits),
• promoting the principles in force according to the Policy through information (outreach) campaigns and content available on the Group’s intranet site,
• alerts and security (safety) information (bulletins) as reactions to current and emerging threats for TAURON Group.

TAURON Group is undertaking a number of activities to ensure the security (safety) of TAURON Group’s infrastructure, including by:

• maintaining an extensive infrastructure for monitoring security (safety), physical security and IT/OT security,
• using technical and organizational safeguards (physical security, ICT security),
• maintaining structures responsible for the detection and rapid response to security incidents (in-house Security Operation Center (SOC) operating for 24 hours a day whose employees use special tools such as Security Information Event and Management Software (SIEM) and Security Orchestration Automation & Response (SOAR) as well as an in-house Computer Security Incident Response Team (CSIRT) with high competences in the field of cyber security),
• cooperation with state authorities and services in identifying and neutralizing threats as well as attacks against TAURON Group’s systems and infrastructure,
• conducting security audits and tests carried out using in-house resources and with the involvement of external companies,
• applying the security by design and security by default principles in designing, ordering, maintaining systems and infrastructure that affect security,
• participation in the structures of the National Cybersecurity System,
• cooperation with the power sector entities with respect to the exchange of information on threats, response to incidents, providing feedback and agreeing on common security standards.

TAURON Group is undertaking a number of activities aimed at ensuring security (safety) and raising awareness of TAURON Group’s customers, including by:

• providing information to customers on threats directly related to them, e.g. extortion, phishing, spoofing for TAURON Group, fake SMS messages, etc.,
• maintaining and updating information on threats directly related to customers on TAURON Group’s website.

[2-24]

TAURON Group’s Business Continuity Policy was implemented in October 2020. The document was updated in 2022 and TAURON Group’s Business Continuity Policy was replaced by a document called TAURON Group’s Business Continuity Management Policy, based on the PN-EN ISO 22301:2020 standard – Common Safety: Business Continuity Management System – Requirements.

Ensuring availability, reliability and quality of the product and service delivery to the customer and maintaining business continuity is a priority for TAURON Group, which is in line with TAURON Group’s Strategy for the years 2022-2030 with an outlook until 2050.

TAURON Group, as the entity responsible for providing the key services such as the electricity and heat generation and distribution, is committed to:

• meet the requirements related to the Business Continuity Management System (BCMS) at TAURON Group, which arise, among other things, from the legal, regulatory, organizational and industry requirements as well as the best practice, taking them into account in the internal corporate regulations,
• identify the services and processes that are key from the point of view of their availability (key services, critical processes) for the internal and external customers, and carry out the Business Impact Analysis (BIA) for them, and identify the risks and their assessment as part of the Risk Analysis (RA),
• ensure adequate resources, mechanisms and means for the proper functioning of the BCMS at TAURON Group,
• developing, maintaining, testing, documenting and improving of the Business Continuity Plans and the Disaster Recovery Plans, ensuring TAURON Group’s entities uninterrupted continuity of the operations in the event of the unexpected situations disrupting the normal operations, including the emergencies,
• continuous improvement of TAURON Group’s BCMS.

TAURON Group’s Business Continuity Management Policy, developed for this purpose, is the foundation of the BCMS, defining its objectives, scope and the division of the responsibilities within TAURON Group. The structure of the BCMS described therein takes into account the context of TAURON Group’s operations and its commitment to developing the broadly understood operational resilience in the energy sector.

Access to Basic Services

Ensuring access to the electricity at the reasonable prices is currently one of the primary legal and social obligations undertaken by TAURON Group’s Management Board. TAURON Group provides access to the power grid for more than 5.8 million households located on approximately 18% of Poland’s territory. The Spółka TAURON Dystrybucja subsidiary performs the duties of the Distribution System Operator (DSO), thereby taking on the burden of ensuring the uninterrupted electricity supply for the industry, households, hospitals, schools, institutions, etc. With respect to ensuring the non-discriminatory access to the grid, the DSO not only meets the requirements of the law, but also takes the broader measures aimed at providing the customers with support in the implementation of the grid connection procedures and in the selection of an electricity supplier, as well as pre-empts the requirements of the law by implementing projects aimed at providing the support for the improvement of its customers’ efficiency (for example by installing the remote readout meters).

In accordance with the law, the customers choose an electricity seller for themselves. Free market supply of electricity and, until 2022, gas is carried out by TAURON Sprzedaż and TAURON Sprzedaż GZE. Both subsidiaries are offering customers the comprehensive products (electricity distribution and electricity supply). TAURON Sprzedaż acts as a supplier of last resort in the designated area of operations. This means that in the event that another supplier selected by the customer is unable to carry out the electricity supply (e.g. in the event of a bankruptcy), the provision of the electricity supply is automatically taken over by TAURON Sprzedaż, ensuring the uninterrupted electricity supply to the customers. Recently, there have been many cases of bankruptcy of the electricity supply companies and TAURON Sprzedaż secured the continuity of the power supply for several thousand customers. TAURON Sprzedaż supports its customers in improving the efficiency of energy consumption through the educational activities, and by offering advisory services and selling energy efficient equipment, as well as the automation and intelligent systems, thanks to which the customers are able to save energy. TAURON's counseling, sales and support with respect to the implementation of the grid connection procedures for the residential photovoltaic installations makes it easier for the customers to achieve individual goals for reducing the system electricity consumption leading to the lower CO2 emissions.

The Spółka TAURON Ciepło subsidiary is engaged in the production of the system heat (district heating) and its distribution in the area of the Silesia and Dąbrowa conurbation, among others, but also in the markets of the smaller cities, such as Bielsko Biała, Zawiercie, Kamienna Góra, which are not as business development oriented markets as a large metropolitan area with more than 2 million residents. Providing thermal comfort in the buildings and urban infrastructure facilities is undoubtedly a basic service that allows the community to function – ensuring the supply of hot water and heat that heats the buildings is a guarantee of thermal safety, even in the event of extreme weather conditions. TAURON produces and supplies heat for more than 800 000 residents. The access to the system heat (district heating) ensures comfort and promotes the elimination of the low emissions. The cost of heating flats and buildings, thanks to the efficiency of the heat production and distribution process, is kept at a reasonable level. TAURON took over 100% of the shares in and the management of Energetyka Cieszyńska in 2022. The corrective action was taken to secure the production and supply of the heat to the city’s residents in the situation that had arisen due to the loss of liquidity.

The development of the civilization and the widespread digitization in all walks of life means that basic services include the broadband internet access. The lock-down experience during the coronavirus pandemic increased the demand for all services and at the same time forced an increase in their availability with the use of the IT channels. This applies to the ability to deal with the official matters, education, commerce, access to information and all of the other services. Providing access to the broadband Internet is a measure aimed at reducing the digital exclusion and is one of the basic services in today’s world. TAURON Obsługa Klienta (Customer Service), as an Access Network Operator, is engaged in ensuring the expansion and provision of the Internet access in areas with a lower degree of urbanization, and therefore more difficult and less attractive for business. In a number of areas where there was a shortage of the fiber optic network, TAURON has built lines providing broadband access for more than 100 000 households. The expansion is continued and TAURON is extending access to more and more customers. It is noteworthy that these activities were implemented with the use of the support funds, as the commercially operating telecommunications companies were not interested in pursuing such activities. Thanks to the performance of these activities, the Internet access has been provided for the households, schools and institutions – thus reducing the digital exclusion of the population living in the areas deprived of the Internet access.

As an employer, the Group maintains high European standards of providing access to basic services for both its own employees as well as it spreads awareness of the expected standards among its subcontractors. In accordance with the applicable legal regulations, TAURON Group’s employees, irrespective of the type of work they perform, are provided with access to the potable water in adequate quantities. The employees use both the public water dispensers as well as the bottled water intended for the employees performing their work in the field.

[2-24]

TAURON Group has implemented the Procedure for Assessing (Vetting) the Credibility of Contractors in order to provide protection against the risk of entering into cooperation with entities acting against the law, principles of good conduct and business practices, and in particular to reduce the risk of participation in:

• tax fraud and money laundering procedures,
• cooperation with entities placed on the Sanctions Lists, subject to the financial sanctions or specific restrictive measures.

Assessment of the reliability of contractors (counterparties) is made on the basis of:

• legal and financial characteristics of the contractor (counterparty),
• information on the counterparty’s operations,
• terms of the contract,
• capital (equity) and personal ties,
• Information on the counterparty being subject to sanctions.

 Due diligence procedures

The Compliance Officer and, at TAURON Group’s subsidiaries, the Compliance Coordinators issue reports on the examination of the credibility of counterparties. In addition, as part of the conducted assessment of the credibility of counterparties, potential risks of starting or continuing cooperation with a counterparty are identified.

The Compliance Area issued a total of 1138 counterparty credibility examination reports in 2022.

The information on the external entities for which the significant risks of commencing the cooperation had been identified was periodically reported by the Compliance Officer of TAURON Polska Energia to the Audit Committee of the Supervisory Board and the Supervisory Board of TAURON Polska Energia.

In addition, in 2022, TAURON Group carried out an educational and informational campaign entitled „Know your counterparty, or why and how to verify (vet) TAURON Group’s counterparties?” as part of which a report presenting the most important information on the procedure for verifying counterparties at TAURON Group was published, and a number of training sessions were held for TAURON Group’s employees interested in the subject.

[2-24]

In order to ensure the compliance within TAURON Group with the requirements under the Act on Counteracting Money Laundering (Anti-Money Laundering) and Financing of Terrorism of March 1, 2018, TAURON Group’s Procedure for Counteracting Money Laundering (Anti-Money Laundering) and Financing of Terrorism was introduced, which regulated the exchange and protection of information within TAURON Group and covered all of the Group’s subsidiaries.

TAURON Group does not accept any business relationships with entities involved in money laundering or financing of terrorism, including those subject to financial sanctions or specific restrictive measures.

Obligated institutions within TAURON Group are:

• TAURON Obsługa Klienta (Customer Service),
• TAURON Ubezpieczenia (Insurance)..

Due diligence procedures

TAURON Group’s subsidiaries that are obligated institutions have their own internal procedures for counteracting money laundering and financing of terrorism, and every six months these subsidiaries report on their implementation to TAURON Polska Energia.

The Compliance Officer, together with the Compliance Team, every year organize AML training for employees of TAURON Group’s subsidiaries that are obligated institutions.

In addition, due diligence procedures include mandatory training entitled. „Counteracting Money Laundering (Anti-Money Laundering) and the Financing of Terrorism” available on the e-learning platform for all employees of TAURON Obsługa Klienta (Customer Service) and TAURON Ubezpieczenia (Insurance) subsidiaries.