🚫Sanctions Compliance Policy

📖 Introduction

Policy Overview
This sanctions compliance policy (the “Policy”) establishes the standards and principles for international sanctions and trade restrictions compliance which Terminal Investment (Namibia) (Pty) Ltd (“TIN”), a private company with limited liability existing under the laws of Namibia, having its registered office at 33 Schanzenweg, Windhoek, Namibia, with registration number 2024/0019, and its respective Directors, Employees, and Representatives will abide by.

This Policy is based on and aligned with the TIL Group Sanctions Policy.

Policy Objectives
The objective of this Policy is to set the standards of the Company’s international sanctions compliance by ensuring:

• Clarity and consistency with respect to international sanctions compliance

• Integrity and accountability

• Strong internal controls and assurance in activities and processes

• Mitigation of risk of unintentional non-compliance with sanctions laws

Definitions

• Directors – persons linked to the Company by a governance mandate relationship

• Employees – persons on the Company’s payroll

• Representatives – external consultants, contractors, or collaborators (including their personnel) acting on behalf of the Company

• Restricted Person – any individual or entity on sanctions lists, or owned/controlled by such a person/entity

🌍 Local and International Sanctions

Sanctions Compliance: What Does it Mean?
Sanctions are prohibitions or restrictive measures issued by governments or organizations like the UN or EU. They target countries, individuals, or entities to achieve security and foreign policy goals such as:

• Preventing/ending armed conflict

• Halting proliferation of weapons of mass destruction

• Countering terrorism, narcotics trafficking, and human rights abuses

Which Sanctions Standards Apply to TIN?
TIN must comply with:

• Namibian sanctions law

• UN Security Council sanctions

• African Union (AU) sanctions

• Swiss, EU, UK, and US sanctions

• Avoidance of US secondary sanctions

Other Sanctions That May Apply

• Sanctions from other organizations

• Restrictions triggered by currency use or dual-use technology

• Personal sanctions tied to nationality/residence

• US secondary sanctions on non-US restricted persons

Additional Sanctions Obligations
Certain agreements (e.g., financing, terminal services) may impose:

• Compliance with broader sanctions

• Alignment with partner institutions’ sanctions policies (e.g., UK lists)

🎯 Scope of the Policy

General
All Directors, Employees, and Representatives of TIN must comply with sanctions requirements.

Management Commitment
TIN’s management commits to:

• Allocating resources (staff, IT, training)

• Supporting communication between compliance and management

• Backing training, due diligence, and internal controls

• Investigating any suspected breach

Activities Ensuring Compliance

• Each individual must assess their risk profile and comply with requirements

Company Obligations
TIN shall:

• Not engage in sanctioned activities

• Not deal with Restricted Persons

• Not use resources to benefit Restricted Persons

• Ensure all individuals:

  • Adhere to this Policy

  • Are not Restricted Persons

  • Avoid activities that risk sanctions violations

• Perform self-assessments and risk profiling

• Implement IT-based screening and due diligence

• Include sanctions clauses in contracts

• Train and educate staff

Directors and Employees Obligations

• Basic Compliance Principles

  • Familiarise with this Policy and attend training

  • Avoid violations

  • Report suspicious activity

• Information & Refraining Obligations

  • Identify which sanctions apply personally (by nationality, residence, citizenship)

  • Inform TIN if restrictions apply

  • Refrain from activities that breach sanctions

🛠️ Sanctions Compliance Obligations of the Company

Risk Assessment

• Identify risks through mapping of customers, suppliers, services, operations, and geographies

Implementation of Controls
TIN will:

• Apply IT-based screening for partners

• Verify partners against sanctions lists

• Maintain a sanctions register

• Include compliance clauses in contracts

• Provide training to staff

Roles and Responsibilities
Tasks include:

• Risk profile adjustments

• Training and awareness

• Enforcement of mitigation measures

• Screening and monitoring

• Reporting

Audit and Reviews

• Management reviews this Policy annually and updates as necessary

Communication and Training

• TIN fosters compliance culture through regular training and awareness

Questions on this Policy: fidel.wakudumo@tilnamibia.com

✒️ Authorisation

OFFICIAL DULY AUTHORIZED ON BEHALF OF THE EMPLOYER

🛡️ Anti-Bribery & Anti-Corruption Policy

📖 Introduction

This Anti-Bribery Policy (the “Policy”) establishes the standards and principles for anti-corruption and anti-bribery compliance for Terminal Investment (Namibia) (Pty) Ltd (“TIN” or the “Company”), a private company with limited liability existing under the laws of Namibia, having its registered office at 33 Schanzenweg, Windhoek, Namibia, with registration number 2024/0019, and its related parties.

TIN is committed to undertaking business fairly and in an ethical manner, complying with all laws and regulations applicable to anti-bribery, anti-corruption, gifts, hospitality, charitable contributions and sponsorships.

This Policy defines the minimum standards and guidelines applicable to TIN’s business, in all dealings with third parties, such as customers, Government Officials, and business partners. This Policy is based on and aligned with the TIN Code of Conduct, as well as the TIL Minimum Requirements applicable to the TIL Group.

Any failure to comply with this Policy may lead to disciplinary action up to and including termination of employment or any other service contract, as well as possible civil and criminal penalties.

🌍 Scope

This Policy is mandatory and applies to all entities and Employees of TIN.

Each Employee is responsible and accountable for understanding and meeting the standards described in this Policy and is expected to:

• Read, understand and adhere to this Policy.

• Keep himself/herself informed and aware of any updates to the Policy and follow any relevant training.

• Understand that you may have an obligation to promptly report any activity that in your judgment would be in violation of the Policy.

Additional responsibilities lie with any Employee who is responsible for supervising others:

• Act as a role model in both words and actions, in strict compliance with this Policy.

• Ensure that all Employees under their supervision are trained on this Policy.

• Monitor and assist compliance by the Employees under their supervision.

• Stop any conduct that breaches the Policy and report it to the Compliance Correspondent.

TIN is subject to the laws of the Republic of Namibia, particularly Anti-Corruption Act 8 of 2003.

TIN expects third parties performing services or supplying goods on behalf of TIN, including Representatives, to comply with this Policy or demonstrate equivalent standards.

📚 Definitions

• “Active Bribery” – Any action to, directly or indirectly, offer, promise or give to any person of the private sector an undue advantage, in order to cause that person to carry out or to fail to carry out an act in connection with his or her professional or commercial activity which is contrary to his or her duty or dependent on his or her discretion.

• “Anti-Bribery Laws” – All applicable anti-bribery and anti-corruption laws including the Anti-Corruption Act 8 of 2003 of Namibia, Swiss Penal Code and the Swiss Federal Law Against Unfair Competition, the U.S. Foreign Corrupt Practices Act, the UK Bribery Act 2010, any similar legislation in other jurisdictions, and relevant instruments enacted by international organizations.

• “ARC” – The Audit and Risk Committee of TIN’s board of directors.

• “CO” – TIN’s Compliance Officer, meaning the person(s) acting as the focal point responsible for implementing the TIN Code of Conduct and any related policies including this Policy. At TIN the Compliance Correspondent is the locally appointed compliance officer in the first place but may also mean any member of the TIN Legal, HR or Compliance team. Additionally, the TIL HQ Compliance team may also be contacted at CH106-compliance.department@TILgroup.com.

• “Charitable Contribution” – Anything of value donated by TIN to support charitable causes or activities in the areas of sports, arts, culture, education and science.

• “Corporate Hospitality” – Any event, service or entertainment that TIN hosts or provides, or Employees attend or benefit from, for business-related purposes. Common examples include reasonably priced meals, travel and accommodation, sporting events, theatrical performances and educational events.

• “Corruption” – The action of offering, promising or giving a Government Official, directly or indirectly, an advantage which is not due to him or her, in order to cause that Government Official to carry out or to fail to carry out an act in connection with his or her official activity which is contrary to his or her duty or dependent on his or her discretion.

• “Employees” – TIN’s employees, officers, directors.

• “Facilitation Payments” – Also known as “grease payments”, are any payments or advantages of any kind made with the purpose of expediting or facilitating the performance by a Government Official of any governmental action.

• “Gift” – For the purpose of this Policy, anything of value in relation to TIN business made or received by an Employee in the context of his or her professional activity.

• “Government Official” – A person:

  1. serving with, employed by, or acting as an agent of, any agency or entity of the national, state or municipal governments of any country;

  2. serving with, employed by, or acting as an agent of, any public international organization (such as the World Bank or the United Nations);

  3. working in any government-owned or government-controlled commercial enterprise;

  4. working in a political party; or

  5. running as a candidate for a political office.

• “Representative” – Third party consultants, contractors or their personnel to the extent acting for and on behalf of TILS, TIN or any terminal company.

• “Passive Bribery” – The action of an Employee, directly or indirectly, to solicit, accept, or receive an undue advantage for his or her own benefit or for the benefit of a third person for the commission or omission of an act in connection with his or her professional or commercial activity which is contrary to his or her duty or dependent on his or her discretion.

• “Political Contribution” – A contribution, or a donation made to a politician, political campaign or political party.

• “Sponsorship” – The support of events, activities or organizations that grants rights and benefits to TIN.

• “TIL” – Terminal Investment Limited Sàrl, having its registered office at chemin Rieu 12-14, 1208 Geneva, Switzerland.

• “TIL Group” – Any of TIL, Terminal Investment Limited Holding S.A., its and their subsidiaries (regardless of ownership interest) including holding companies and operating terminal companies.

• “TIN” – Terminal Investment Namibia (Pty) Ltd and their respective Employees and Representatives.

🚫 Policy Principles

TIN strictly prohibits all Corruption, Active Bribery and Passive Bribery including Facilitation Payments.

• Employees must comply with all Anti-Bribery Laws, including extra-territorial laws.

• Engaging in corrupt activities can lead to criminal charges, fines, and imprisonment.

• Employees must not offer, promise, give, solicit, accept or receive an undue advantage in return for favourable treatment.

• Demands must be refused, explained as against TIN’s zero tolerance, and reported to the Compliance Correspondent or TIL HQ Compliance .

💵 Facilitation Payments

• Defined as small, unofficial payments to Government Officials (e.g., customs, permits, licenses).

• Zero tolerance even if legal under local law.

• Exception: tolerated only if health and safety of the Employee is at risk.

• Employees must:

  • Refuse and explain TIN’s zero tolerance.

  • Report to Compliance Correspondent if such a payment is demanded or made .

🎁 Gifts

• Forbidden if illegal, lavish, extravagant, or cash equivalents.

• Allowed if modest (≤ N$ 1,000) and reasonable (e.g., pens, diaries, mugs, promo items).

• Gifts must never create obligation or appear as bribery.

• Government Officials: require prior written compliance approval.

• All gifts must be logged, documented, and reported .

🍽️ Corporate Hospitality

• Must be reasonable, transparent, and compliant with local laws.

• Cannot be used to gain undue advantage.

• Family/friends travel not paid.

• Government Official hospitality requires prior written approval.

• All transactions must be logged with full transparency .

🏛️ Political Contributions, Charitable Contributions & Sponsorships

• No Political Contributions (cash or in-kind).

• Lobbying allowed if legal but must not involve undue advantage.

• Charitable Contributions and Sponsorships allowed only if:

  • Legal, transparent, compliant with laws.

  • Approved in writing with due diligence.

Approval Process (Steps 1–6):

1. Proposal submitted to CO.

2. Request from beneficiary with proof.

3. Due diligence with TIL HQ Compliance.

4. Compliance memorandum prepared.

5. TIN Board decision.

6. Beneficiary provides signed receipt .

🤝 Relationships with Third Parties

• Compliance due diligence before engagement.

• Payments must be legitimate and proportionate.

• Third parties must comply with this Policy or equivalent.

• Employees must refuse to work with suspicious parties and report concerns .

📑 Books & Records

• All payments must be recorded accurately and in detail.

• No false, misleading, incomplete, or hidden accounts.

• Personal funds may not be used to bypass this Policy .

🔍 Compliance Review

• TIL HQ Compliance reviews Policy annually.

• Any amendments or material changes reported to the Audit and Risk Committee (ARC) .

❓ Questions

All questions must be directed to the Compliance Correspondent .

✒️ Authorisation

OFFICIAL DULY AUTHORIZED ON BEHALF OF THE EMPLOYER

🔐Data Protection Policy (TIN.IT.POL.018)

🎯 Purpose

The purpose of this Data Protection Policy is to ensure that Terminal Investment Namibia (“the Terminal”) processes personal data in compliance with applicable data protection laws and in a manner that safeguards the rights and freedoms of data subjects. This policy supports the Terminal’s commitment to the confidentiality, integrity, and availability of personal data.

📚 Definitions

• Data Breach – Breach of security leading to accidental/illegal destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.

• Data Controller – Determines purposes and means of Processing Personal Data.

• Data Processor – Processes Personal Data on behalf of the Controller.

• Data Protection Coordinator – Person in charge of data protection issues at the Terminal, monitoring and reporting to Compliance.

• Data Subject(s) – Natural person whose Personal Data is processed.

• Employees – All Terminal employees, representatives, officers, and directors.

• Cyber Security Team – MSC IT Department’s Cyber Security Team (📧 CH001-itsecurity@msc.com).

• Personal Data – Any information relating to an identified or identifiable natural person (e.g., names, addresses, contact details, job info, IP addresses, device numbers).

• Sensitive Personal Data – Includes racial/ethnic origin, religion, political opinions, trade union activities, health, genetic/biometric data, criminal proceedings, or personality profiling.

• Processing – Any operation performed on Personal Data (collection, storage, use, disclosure, erasure, etc.).

• Sub-processing – Processing by a Subprocessor.

• Subprocessor – Entity engaged by a Data Processor to handle Personal Data.

🌍 Scope

This policy applies to all employees, contractors, consultants, vendors, and third parties who process or access personal data on behalf of the Terminal. It covers all personal data processed, regardless of medium or format.

🗝️ Principles for Processing Personal Data

At each stage of the data lifecycle, the Terminal is committed to:

📥 Collection & Use of Personal Data

• Lawful, fair, and legitimate basis

• Transparent communication with data subjects

• Specific, explicit, and legitimate purposes

• Adequate, relevant, and limited to what is necessary

• Secure against unauthorized access, loss, or damage

• No adverse effects on Data Subjects unless authorized by law

📂 Management of Personal Data

• Accurate and up to date

• Retained only as long as necessary

• Documented and tracked throughout lifecycle

• Shared only on a “need-to-know basis”

• Transferred across borders only when lawful and approved

👤 Responsibility

• Data Protection Coordinator

  • Maintain a processing register

  • Provide training and awareness

  • Serve as contact point for Employees and Data Subjects

  • Support the Terminal with supervisory authority inquiries

• Information Technology Manager

  • Develop and maintain this Policy

  • Ensure compliance and coordinate with other departments

  • Handle inquiries via 📧 tin.itsupport01@tilnamibia.com

✅ Compliance

Compliance with this Policy is mandatory. Violations may result in disciplinary action, up to and including termination.

📜 Policy Statements

🔄 Data Processing & Sub-processing

• Engage only trustworthy processors/subprocessors.

• Require written agreements before processing begins.

• Ensure cross-border transfers meet all legal requirements.

🚨 Data Protection Breach

• Non-Compliance Reporting – Employees must report breaches immediately to the Data Protection Coordinator (or Legal Advisor if conflict of interest).

• Breach Reporting – The Terminal must implement effective reporting and may be required to notify Data Subjects and/or supervisory authorities promptly.

👥 Roles & Responsibilities

Management

• Approve any media communications or regulatory notifications only with Compliance Team approval.

Employees

• Report any Data Breach immediately to:

  • Local Management

  • Local IT Managers (if applicable)

  • Data Protection Coordinator

• Breaches must also be reported to the Compliance Team and Cyber Security Team within 24 hours.

📊 Monitoring & Enforcement

• Compliance monitored through regular audits and reviews.

• Non-compliance may result in disciplinary action, up to termination.

🛡️ Policy Coverage

TIN.IT.POL.001

Information Security Policy

Leadership commitment; Security program; Security requirements

TIN.IT.POL.002

Organisation of Information Security

Organisation structure; Roles and responsibilities; Policy life cycle management

TIN.IT.POL.003

Acceptable Use of Information Technology

Acceptable use rules

TIN.IT.POL.004

Access Management

User & system access; Account management; Passwords

TIN.IT.POL.005

Asset Management

Information asset management; Protection requirements; Classification; Labelling & handling; Endpoint security; Disposal; Mobile device management

TIN.IT.POL.006

Disaster Recovery

Disaster recovery; RTO/RPO; Mission critical systems classification

TIN.IT.POL.007

Communication & Network Security

Network security; Remote access; Secure file transfer; Third-party access

TIN.IT.POL.008

Cryptographic Management

Key management; Approved techniques

TIN.IT.POL.009

Incident Management

Information security incident management

TIN.IT.POL.010

Risk Management

Risk management; Security awareness; Training

TIN.IT.POL.011

Logging & Event Monitoring

Logging and monitoring of events

TIN.IT.POL.012

IT Operations Management

IT operations procedures; Change/configuration/capacity/release management; Backup & restoration; Cloud computing

TIN.IT.POL.013

Physical & Environmental Security

Facility controls; Equipment & media security

TIN.IT.POL.014

Secure System & Software Lifecycle

Security in system/software lifecycle; Development processes; System hardening

TIN.IT.POL.015

Third Party Information Security

Contractual risk identification; Selection; Security provisions; Life cycle management

TIN.IT.POL.016

Vulnerability Management

Vulnerability and patch management

🔄 Document Change Control

• Version 0.9 – Jan Coetzee (JC), 31-05-2025, Final revision for approval

📅 Annual Review

This Policy must be reviewed and updated by the Information Technology Manager annually or when significant changes occur.