// PRIVACY NOTICE · WHISTLEBLOWING

Whistleblowing
privacy notice.

How Scout processes personal data submitted through the dedicated whistleblowing channel — controllers, lawful bases, retention, confidentiality, transfers and your rights. Read this notice before submitting a report that contains personal data.

// VERSIONv1.0
// EFFECTIVE22 MAY 2026
// CONTROLLERSScout Ltd · Scout & Co Limited
// CHANNELwhistleblowing@scoutgaminggroup.com
// CONTACTdataprivacy@scoutgaming.com
// Contents 01 Controllers 02 Privacy contact 03 Channel 04 Data we process 05 Legal bases 06 Special-category data 07 Confidentiality & access 08 Transfers 09 Retention 10 Your rights 11 No automated decisions
// 01

Who is responsible for your data.

The controllers of personal data submitted through the whistleblowing channel are:

  • Scout Ltd — Malta company registration number C 64899
  • Scout & Co Limited — Malta company registration number C 81596

The controllers act jointly in respect of whistleblowing intake, intake handling and follow-up. Either controller may also act as sole controller in respect of specific subsequent processing (for example where a follow-up action affects only one entity).

// 02

Privacy contact.

Questions about how your personal data is processed in connection with a whistleblowing report can be sent to: dataprivacy@scoutgaming.com.

The privacy contact is independent of the whistleblowing handlers. The privacy contact is not used to submit reports — use the dedicated channel for that.

// 03

The reporting channel.

The dedicated reporting channel is the email address whistleblowing@scoutgaminggroup.com. Access to this inbox is restricted to designated whistleblowing handlers within Compliance and is not available to other Scout staff.

Oral reports can be arranged at the reporter's reasonable request. Oral reports may, with the reporter's consent, be documented in a written record by the handler.

// 04

What data we process.

The data processed depends on what you choose to disclose. It can include:

  • Identification and contact data of the reporter (only if voluntarily provided)
  • Identification data of persons mentioned in the report (alleged wrongdoer, witnesses, others)
  • The content and supporting documents of the report
  • Communications between the reporter and the handlers, including any meeting records
  • Information generated during the assessment and any subsequent investigation
  • Technical metadata of the report (e.g. timestamp of receipt, mailbox metadata)

You do not need to disclose your identity. Anonymous reports are accepted and processed in the same manner as identified reports, where the information provided is sufficient to do so.

// 05

Legal bases.

The processing of personal data in connection with a whistleblowing report relies on the following legal bases (Article 6(1) GDPR):

  • Legal obligation — to comply with obligations under Directive (EU) 2019/1937 (the Whistleblowing Directive) and equivalent national implementing law, where applicable
  • Legitimate interests — Scout's interest in preventing, detecting and addressing wrongdoing inside the organisation, balanced against the interests, rights and freedoms of the data subjects involved
  • Compliance with obligations in fields where Scout operates as a regulated gaming and B2B services provider
// 06

Special-category & criminal-offence data.

A whistleblowing report may, by its nature, include data relating to suspected criminal offences (Article 10 GDPR) or special categories of personal data (Article 9 GDPR), such as data concerning health, racial or ethnic origin, religious beliefs or sexual orientation.

Where such data is necessary to investigate the report, it is processed on the basis of substantial public interest (Article 9(2)(g) GDPR), the establishment, exercise or defence of legal claims, or the relevant national implementing provision for the Whistleblowing Directive.

Special-category data is handled under the same confidentiality and access restrictions as the rest of the report. It is not used for any purpose other than handling the report and meeting our legal obligations.

// 07

Confidentiality & access restrictions.

Access to whistleblowing reports is strictly limited to designated whistleblowing handlers within Compliance and, where strictly necessary, to specific persons appointed to take follow-up action. All such persons are bound by enhanced confidentiality obligations.

The identity of the reporter, and any information from which the reporter's identity can be directly or indirectly inferred, is not disclosed without the reporter's express consent — except where disclosure is required by law (for example, by a court order or to a competent authority in the context of an investigation). In such cases, the reporter will, where possible, be informed in advance.

Information from a report is not entered into systems where access cannot be limited to handlers — including general ticketing systems, helpdesk tools, or shared email inboxes.

// 08

Transfers.

Personal data submitted through the channel is processed within the European Economic Area. Transfers to processors or to other Scout entities are governed by intra-group data-processing agreements and, where applicable, the EU Standard Contractual Clauses.

Personal data is not transferred to a third country outside the EEA except where a transfer is strictly necessary to handle the report or comply with a legal obligation, and where an appropriate transfer mechanism applies.

// 09

Retention.

Personal data is retained only for as long as necessary and proportionate, taking into account the nature and outcome of the report:

  • Reports that, after assessment, are determined to be outside the scope of this channel: deleted promptly after the assessment is concluded, subject to any minimum retention required by law
  • Reports closed without follow-up action: retained for a defined period to allow audit and to address any later, related reports
  • Reports leading to follow-up action: retained for the period necessary to manage and document the investigation, related proceedings and any legal claims
// PRINCIPLE We do not retain personal data beyond the period needed for the purpose for which it was collected. Specific retention periods are documented internally and are available on request via the privacy contact.
// 10

Your rights.

Subject to the limitations described below, data subjects have the right to:

  • Access their personal data
  • Have inaccurate or incomplete data corrected
  • Have data erased where the conditions in Article 17 GDPR are met
  • Restrict processing in the cases set out in Article 18 GDPR
  • Object to processing based on legitimate interests
  • Lodge a complaint with a supervisory authority (in Malta: the Information and Data Protection Commissioner)

These rights are limited where their exercise would seriously affect the assessment of a report or compromise the protection of a reporter or another person. In particular, the right of access and the right to information may be restricted where granting them would allow the alleged wrongdoer to identify the reporter or to interfere with an ongoing investigation.

To exercise a right, contact the privacy contact at dataprivacy@scoutgaming.com. We will respond within the period required by applicable law.

// 11

No automated significant decisions.

No decisions producing legal effects or significantly affecting an individual are made solely on the basis of automated processing in connection with whistleblowing reports. Assessment and follow-up decisions are taken by designated handlers.

// 12 · UPDATES

Changes to this notice.

This notice may be updated to reflect changes in law, regulator guidance, or our processes. Material changes are notified through the website. The version and effective date at the top of the notice indicate when the current version came into force.