CORPORATE GOVERNANCE AND ETHICAL COMMITMENT

CORPORATE
GORVERNANCE AND
ETHICAL COMMITMENT

CORPORATE GOVERNANCE

The Corporate Governance system of NH Hotel Group is made up of the Bylaws, the Board of Directors’ Regulations, the General Shareholders’ Meeting Regulations and the Internal Regulations for Conduct on Securities Markets, as well as the other rules, codes, internal procedures and corporate policies approved by the competent bodies of the Company.

This System has been formalised in line with the highest standards of compliance with good practice in corporate governance, as defined by, among others, the Good Governance Code for listed companies (the “Good Governance Code”), approved by a Resolution of the Board of the CNMV on February 18th, 2015, and revised in June 2020, which is aligned with the recommendations on good governance of international markets.

BOARD OF DIRECTORS OF NH HOTEL GROUP

The Board of Directors is the Company’s senior management and representation body. It is empowered, within the scope of the corporate object defined in the Bylaws, to carry out any acts of administration or disposal, under any legal title, except those reserved by law or by the Company’s Bylaws to the exclusive competence of the General Shareholders’ Meeting. Consequently, the Board of Directors is conceived as a supervisory and control body, while the ordinary management of the Company’s business is entrusted to the executive bodies and the management team.

The functions of the Board of Directors and its Committees (Audit and Control Committee and Nominations, Remuneration and Corporate Governance Committee) are expressly reflected in articles 33, 47 and 48 of the Bylaws and articles 5, 25 and 26 of the Board Regulations, among others. At the General Meeting of the Shareholders of NH Hotel Group dated June 30th, 2021, and at the meeting of the Board of Directors of NH Hotel Group held on July 28th, 2021, the Company approved the amendment of several articles of the Bylaws and of the Board Regulations on the occasion of the reform of Royal Legislative Decree 1/2010, of July 2nd, approved the Companies Act (Consolidating Act), in relation to the functions and powers of the Board of Directors and its Committees.

The Board of Directors will discharge its duties in line with the corporate interest, which is understood to be the Company’s interest; and in this regard it will act to safeguard the Company’s long-term viability and to maximise its value, also weighing the many legitimate public or private interests involved in relation to any business activity.

NEW DEVELOPMENTS IN THE BOARD AND ITS COMMITTEES IN 2021

In 2021, a number of articles of the Bylaws and of the Board Regulations were amended in relation to the functions and powers of the Board of Directors and its Committees, in order to bring their content into line with Act 5/2021, of April 12th, amending the Companies Act (Consolidating Act) approved by Royal Legislative Decree 1/2010, of July 2nd, (hereinafter the “LSC”), and other financial regulations, with regard to the fostering of long-term involvement of shareholders in listed companies (hereinafter, “Act 5/2021”) and to adapt their content to best practice in corporate governance.

In this regard, the General Shareholders’ Meeting held on June 30th, 2021, resolved to amend certain articles of the Company’s Bylaws, to update them:

  • The functions of the Board of Directors: its sphere of competence has been extended, to bring it into line with the new features introduced both by Act 11/2018, and by Act 5/2021:
    • Inclusion of “non-financial reporting” as one of the decisions that cannot be delegated.
    • Inclusion of a new definition of “Related-Party Transactions”, and decision making in accordance with the provisions introduced by Act 5/2021.
  • The functions of the Nominations, Remuneration and Corporate Governance Committee: the sphere of competence has been extended, to bring it into line with the new wording of the Good Governance Code for Listed Companies. As a result, certain ESG (“Environmental Social and Governance”) tasks have been assigned to the Nominations, Remuneration and Corporate Governance Committee, the powers of which will include:
    • Supervising the application of the general policy in relation to economic and financial, non-financial and corporate reporting, as well as communication with shareholders and investors, proxy advisors and other stakeholders.
    • Evaluation and periodic review of the corporate governance system and the Company’s environmental and social policy.
    • Overseeing that the Company’s social and environmental practice conforms to the established strategy and policy.
    • Supervision and evaluation of the processes for relations with different stakeholders.
    • Ensuring that the corporate culture is aligned with its mission and values.
  • The Functions of the Audit and Control Committee: its sphere of competence has been extended, to bring it into line with the new wording of the Good Governance Code for Listed Companies, attributing the following tasks explicitly to the Audit and Control Committee:
    • Overseeing and evaluating the drawing-up process and the integrity of financial and non-financial information and overseeing the control systems for the management of financial and non-financial risks.
    • New control functions in relation to the external auditor.
    • Ensuring the independence and effectiveness of the internal audit function; proposing the selection, appointment, re-election and removal of the head of the internal audit service; proposing the budget for this service; approving or proposing the Board’s approval of the internal audit focus and annual work plan, making sure that the activity is mainly focused on the relevant risks (including reputational risks), receiving periodic information on its activities; and verifying that senior management takes into account the conclusions and recommendations of its reports.
    • Establishing and overseeing a mechanism that allows employees and other persons related to the company, such as directors, shareholders, suppliers, contractors or subcontractors, to report, confidentially, any potentially relevant irregularities, including financial and accounting or any other irregularities related to the company that they observe within the Company or its group. This mechanism should guarantee confidentiality and, in any case, provide for situations in which reports may be made anonymously, respecting the rights of the whistleblower and the reported person.
    • Ensuring in general that the established internal control policies and systems are applied effectively in practice.
    • Overseeing compliance and internal codes of conduct, as well as corporate governance rules.

At its meeting held on July 28th, 2021, the Board of Directors resolved to amend certain articles of the Board Regulations, incorporating the new treatment of the approval of related-party transactions, in order to adapt them to the modifications made by Act 5/2021.

BOARD COMMITTEES

Audit and Control Committee

Focused, among other matters, on supervising the effectiveness of the Company’s internal control and the process of drawing up and presenting statutory financial information, ensuring the independence and effectiveness of the internal audit function and of the external auditor.

In 2021, Mr. José María Cantero de Montes-Jovellar was appointed as the new chairman of the Audit and Control Committee, replacing Mr. Fernando Lacadena Azpeitia, in compliance with the mandatory rotation established in article 23 of the Board of Directors Regulations.

Composition of the Audit and Control Committee
As of December 31st, 2021

Nominations, Remuneration and Corporate Governance Committee

Focused mainly on proposing the appointment of Independent Directors or reporting on the suitability of other directors to be appointed, as well as analyzing and evaluating everything related to remuneration of both Board members and Senior Management, drawing up the corresponding policies. It is also responsible for supervising and controlling compliance with the rules of corporate governance and the policies on environmental, social and economic-financial, non-financial and corporate reporting, proposing to the Board the necessary Reports and Reports.

Composition of the Nominations, Remuneration and Corporate Governance Committee
As of December 31st, 2021

Current Board of Directors Composition

Composition of the Board of Directors
As of December 31st, 2021

The current composition is the result of:

  • The reelection of the following Directors:
    Mr. William Ellwood Heinecke, with the category of Proprietary.
    Mr. Emmanuel Jude Dillipraj Rajakarier, with the category of Proprietary.
    Mr. Stephen Andrew Chojnacki, with the category of Proprietary.
    Mr. José María Cantero de Montes-Jovellar, with the category of Independent; and
    Mr. Fernando Lacadena Azpeitia, with the category of Independent.
  • The ratification of the Director Mr. Rufino Pérez Fernández, with the category of Executive.

The reelections and ratification of these Directors were resolved at the Ordinary Annual General Meeting of the Company held on June 30th, 2021.

Between December 31st, 2021 and the date of drawing up this Report, there have been no changes in the composition of the Board.

The complete profile of all members of the Board of NH Hotel Group and its committees is public and can be consulted at the Corporate Governance section of the Company’s corporate website.

SELECTION POLICY FOR DIRECTOR CANDIDATES

Candidate Selection Objectives and Process

On December 22nd, 2020, following a favourable report issued by the Nominations, Remuneration and Corporate Governance Committee, the Board of Directors approved modifications to the Director Selection Policy in line with the Good Governance Code, which ensures that proposed appointments of directors of the Company are based on a prior analysis of the Board’s needs. To evaluate the candidates who participate in the selection process, the procedure considers the skills, experience, professionalism, suitability, gender, independence, knowledge, qualities, capacities and availability of members of the Board of Directors from time to time. The Nominations, Remuneration and Corporate Governance Committee plays a relevant role in this process.

This Policy seeks to avoid discrimination and ensure that merit is the governing selection principle in finding the best candidates for the Company.

Conditions that candidates must fulfill

Candidates for the post of Director of the Company must meet requisites of qualification and professional and personal honorability. They must be suitable and prestigious individuals, of recognized professional capability, competence and experience, with sufficient qualifications, training and availability for the position. Candidates must show a commitment to their role, with a personal and professional history of respect for the law and commercial good practice, and they must comply with the obligations always established by law in order to be part of the Board of Directors. Furthermore, they must be professionals of integrity, whose conduct and career are aligned with the ethical principles and duties established in the Company’s internal regulations, and they must share the Group’s vision and values.

Promotion of Diversity

NH Hotel Group is convinced that diversity in all its facets, at all levels of its professional team, is an essential factor to ensure the Company’s competitiveness and a key element of its corporate governance strategy. In the candidate selection process, discrimination is avoided, and merit is the principal selection criterion, in the corporate interest, and the process is designed to seek the most qualified candidates.

However, and notwithstanding the above, every time a vacancy arises on the Board of Directors, and the corresponding selection process starts, at least one woman must participate as a candidate. As far as it is compatible with the composition of the shareholders and the management body, the Company maintains the intention to comply with the 15th Recommendation of the Good Governance Code, so that the number of female members of the Board of Directors represents at least 40% by 2022.

To reach this target, the Nominations, Remuneration and Corporate Governance Committee will ensure that the selection process does not suffer from any implicit bias that impedes the selection of female Directors and that the potential candidates include women who match the required professional profile.

MANAGEMENT COMMITTEE

The NH Hotel Group Management Committee is conceived as a body that guarantees the viability of the business, seeking growth and establishing the Company’s strategic framework, developing talent and leadership.

The Management Committee meets on a weekly basis and is made up of the Chief Officers of the different areas:

Composition of the management committee
As of December 31st, 2021

SENIOR MANAGEMENT AND BOARD REMUNERATION

The average remuneration of the Management Committee in 2021 is 336,925.46 euros (299,214.83 in 2020 and 578.427 in 2019). This includes fixed salary, vehicle, medical insurance, life insurance and accident insurance. Until July 2021, the Management Committee waived 20% of its fixed salary.

As of December 31st, 2021, the Management Committee is made up of 7 men and one woman. The average remuneration per gender is not disclosed for reasons of confidentiality. In 2021, as there were, temporarily, no women on the Board of Directors, no comparison of data is possible.

In accordance with the Directors’ Remuneration Policy, the Chairman of the Board of Directors has a fixed annual allowance of 200.000 euros, and the Chairmen of the Audit and Control Committee and the Nominating, Compensation and Corporate Governance Committee have a fixed annual allowance of 90.000 euros. The fixed annual allowance for a member is 50.000 euros, except for the Executive Directors, who do not receive a fixed annual allowance.

For the second consecutive year, due to the crisis deriving from COVID-19, the Board members voluntarily waived 20% of their remuneration from January to April 2021 and 100% of their remuneration in May and June 2021.

The remuneration of Executive Directors is included in the figures shown for the Management Committee as their duties as members of the Board are not remunerated.

Further information on the remunerations Policies for the Board of Directors is available in the Annual Corporate Governance Report 2021.

SHAREHOLDER STRUCTURE

At the end of 2021, the share capital of NH Hotel Group, S.A. totaled € 871,491,340 and was represented by 435,745,670 bearer shares with a par value of 2€ each, fully subscribed and paid in.

According to the latest notifications received by the Company and the communications sent to the Spanish National Securities Market Commission (Comisión Nacional del Mercado de Valores – CNMV) before the year end, the most significant shareholders at the end of the year were as follows:

RELATIONS WITH SHAREHOLDERS AND INVESTORS

Throughout 2021, NH Hotel Group has been in permanent contact with the Company’s analysts and investors in order to satisfy their needs concerning the Group’s general evolution. This contact with the market has taken place through individual meetings and in the participation in investors’ conferences organized by various financial institutions and individual call requests.

The Company produces consistent and transparent financial information on a regular basis, with the aim of permitting monitoring for the analysis and valuation of the Group.

As a listed company, NH Hotel Group publishes quarterly results for the market. At the time of the half-yearly and annual publications, a call / conference with the market is also carried out, attended on average by 50 participants between investors and analysts.

The quarterly results published detail the following:

  • KPIs and drivers of results.
  • Evolution by geographical areas.
  • Evolution of costs.
  • Breakdown of cashflow and financial debt position.

In addition, the Investor Relations department is in permanent contact with the market through calls, trips, investors’ conferences … in order to inform the investment community of the Company’s evolution.

COMPLIANCE SYSTEM, ETHICS AND CONDUCT

NH Hotel Group continues to implement measures to foster and highlight the compliance culture and the importance of consolidating an ethical business culture, raising awareness among all employees of the relevance not only of complying with the applicable legislation but also of acting ethically and in accordance with the Company’s principles and values.

The aim pursued is that all employees be aware that not only what is done but also how it is done matters, and to this end several measures and tools have been put in place to work on this mission, the most important of which are described below.

NH Hotel Group is committed to complying with the laws and regulations in the countries and jurisdictions in which it operates. This includes, among other issues, laws and regulations on health and safety, discrimination, taxation, data privacy, competition, anti-corruption, prevention of money laundering and environmental commitment. Key areas covered by the Code include

CODE OF CONDUCT

NH Hotel Group continues to bolster the compliance function, based fundamentally on the principles and values contained in its Code of Conduct, which is translated into ten languages – six of which are published on the corporate website and intranet – and is applied in all countries where NH Hotel Group operates. In addition, since 2017, through the “My NH” App, the Company’s employees can access it from their mobile device. Staff at centers operating under the NH Hotel Group brands also have access to a Practical Guide and a Frequently Asked Questions document.

The purpose of the Code of Conduct is to determine the principles, values and rules that are to govern the conduct and behaviour of each of the professionals and executives of the Group, as well as members of the governing bodies of Group companies and stakeholders that interact with NH Hotel Group. It outlines the professional conduct expected of NH Hotel Group employees, who are committed to acting with integrity, honesty, respect and professionalism in the performance of their duties.

Employees are required to take a training course on the Code of Conduct in order to ensure that they have read and understood it. Completion of this course is recorded in the system.

The Code of Conduct is reviewed periodically by the Compliance Officer to adapt and update its contents when necessary.

The function responsible for monitoring and adapting the Code of Conduct, plans in 2022 to propose to the Board of Directors an update of the Code of Conduct, with the aim of updating, completing and adapting it to new legal requirements and best practices in this area.

In addition to NH Hotel Group’s Code of Conduct, there are a series of specific policies shown below:

POLICY UPDATES IN 2021

In 2021, The Corporate Policy for the Prevention of Money Laundering and Terrorist Financing was amended and updated. This update was approved by the Board of Directors, after being reviewed and validated by the Compliance Committee and the Audit and Control Committee.

The changes made have fundamentally consisted of two aspects:

  • Update of the appendix referring to cash payments, in order to adjust the new thresholds for such payments and adapt them to the legislation of each country, and
  • The inclusion of the obligation to provide supporting documentation of the validity of making payments and/or carrying out transactions in cases that are generally not permitted, when they derive from operations in the ordinary course of business and the Company’s activity.

For these purposes, work has commenced on establishing an internal corporate process to reinforce the control and validation of this type of transactions.

INTERNAL RULES OF CONDUCT

These rules establish the minimum standards that apply to the purchase and sale of securities, as well as to privileged and confidential information, and how such information should be handled.

CRIMINAL RISK PREVENTION MODEL

It describes the principles applicable to the management and prevention of crimes within NH Hotel Group and defines the structure and operation of the control and oversight bodies established within the Company, systematizing existing controls for the purpose of preventing and mitigating the risk of crime in the different areas of the Company.

Monitoring, updating and evaluation of controls is performed periodically by the Compliance Office through the SAP GRC tool.

PROCEDURE FOR CONFLICTS OF INTEREST

It establishes the rules to be followed in situations in which the interest of the Company or any of the Group companies comes into conflict with the direct or indirect personal interest of the directors or of persons subject to rules governing conflicts of interest.

This procedure was updated in 2021 -with a favourable report from the Audit and Control Committee and the approval of the Board of Directors – as a result of the changes made in Royal Legislative Decree 1/2010, of July 2nd, approving the Companies Act (Consolidating Act).

COMPLIANCE COMMITTEE

Established in 2014, the Compliance Committee is made up of members of the Management Committee and Senior Management who have sufficient knowledge of the activities of NH Hotel Group and at the same time have the necessary authority, autonomy and independence to assure the credibility and binding nature of the decisions made.

This body is responsible for overseeing compliance with the key areas of the Compliance System: the Internal Rules of Conduct on Securities Markets, the Procedure for Conflicts of Interest, the Code of Conduct and the Criminal Risk Prevention Model, among others.

The Compliance Committee oversees the activity carried out by the Compliance Office and monitors all the internal processes and policies implemented in the Company, and observance and compliance with them. It also has the authority to take disciplinary measures against employees in relation to matters falling within its scope of competence.

Three meetings of the Compliance Committee were held in 2021.

COMPLIANCE OFFICE

The Compliance Office, under the leadership of the Compliance Officer, reports directly to the Chief Legal & Compliance Officer of NH Hotel Group and to the Compliance Committee and is responsible for spreading awareness of and monitoring compliance with the Code of Conduct, for monitoring and periodic supervision of the Criminal Risk Prevention Model, for creating and updating corporate policies as well as monitoring compliance with the Model and handling queries regarding the Code of Conduct, among other functions.

Specifically, in 2021 the corporate policy on the prevention of money laundering and terrorist financing has been updated to adjust the new thresholds applicable to cash payments, among other aspects.

Furthermore, in 2021, NH Hotel Group has provided the head of the Compliance Office with the necessary resources for continuous training on compliance.

WHISTLEBLOWING CHANNEL

NH Hotel Group has enabled a whistleblowing channel that allows employees, managers, members of the administrative bodies, suppliers, customers or any interest group to report any breach of the Code of Conduct, guaranteeing confidentiality and respect in all the phases involved, as well as non-retaliation. Following the entry into force on 17th December 2021 of the new European regulations related to whistleblowing channels, NH Hotel Group has decided to adapt its internal reporting and whistleblowing protocol through the implementation of a new external platform.

The access and e-mail address of the Whistleblowing Channel are available on the NH Hotel Group website and on the intranet. The Internal Audit Manager oversees the management of the Whistleblower Channel.

In addition, NH Hotel Group has defined a procedure for notification and treatment of possible breaches and complaints of the Code of Conduct. The procedure sets out the principles governing the Channel, the description of the parties involved in the complaint, the deadlines and the sanctioning procedure.

The head of Internal Audit is in charge of managing the Complaints Channel, in which confidentiality and respect are guaranteed in all the phases that it entails, as well as non-retaliation. Its procedure is specified in detail in the Code of Conduct.

There are currently no ongoing external investigations against NH Hotel Group related to the Code of Conduct or corruption-related matters.

In 2021, a total of 47 alleged breaches of the Code of Conduct were reported. The pertinent disciplinary measures were applied, and a response was given to all 69 queries received.

After analyzing the queries and alleged breaches reported through the whistleblowing channel or other formal mechanisms of the compliance office, none of them has resulted in a breach under any of the following categories:

In relation to these breach categories, the Company currently has no ongoing investigations initiated in 2021 or prior years and has not had to take any disciplinary action against any employee. Furthermore, it has not had to terminate any contract with any commercial partners due to incidents of corruption or any other type of incident included in the categories mentioned above.

AWARENESS OF AND TRAINING ON ETHICS AND CONDUCT

The Company has an online training tool for all NH Hotel Group employees with personalised mail through which they are provided with online courses on different matters, to ensure that they are correctly informed of, understand and consequently comply with them. This includes the following courses relating to ethics and conduct:

  • Code of Conduct
  • Crime Prevention
  • General Data Protection Regulation
  • Prevention of money laundering and terrorist financing
  • Antifraud and corruption
  • Human Rights

All courses on the above matters include an exam that measures employees’ level of comprehension. NH Hotel Group also has a supervision and control system both for drawing up financial information (ICFR) and for criminal risks (CPM). This system is audited regularly.

TRAINING ON HUMAN RIGHTS

Respect for Human Rights is one of the principles on which the activity is based in all the countries where NH Hotel Group is present. It is also materialized in the development and implementation of a Policy dedicated to respect for Human Rights that strengthens and extends the commitment that is already established in the Company’s Code of Conduct.

With the aim of spreading awareness of this commitment and knowledge of Human Rights and of the actions that NH Hotel Group carries out to respect these rights, the “Human Rights” online course is available for Front Offices and General Managers.

Through this course, the Company materializes its own commitment, directly involving this group in the Company, and next year the course will be provided to the rest of the employees, sharing stories and practices that help to understand the crucial role that human rights play in the hotel sector.

With this training, NH Hotel Group promotes knowledge not just of its Human Rights policy, but also of the due diligence process to identify, prevent, mitigate and report potential risks and consequences deriving from the daily actions of employees, suppliers or guests.

INITIATIVES IN RELATION TO COMPLIANCE IN 2021

During 2021, the internal newsletter “Tell The World” has been used to issue capsules of information related to Compliance to all the Company’s employees.

Thanks to these information capsules, the Company disseminates and promotes knowledge and awareness to all its employees of the importance of Compliance and to continue reinforcing ethical culture of the Company.

ZERO TOLERANCE OF CORRUPTION

As previously stated, NH Hotel Group has an Anti-Fraud and Corruption Policy, as well as its Policy for the prevention of Money Laundering and Terrorist Financing, applicable to all employees, executives and members of the Board of Directors of NH Hotel Group. In addition, NH has other internal procedures, such as the Gift Policy, all of which contribute to establishing controls, internal processes and mitigating associated risks.

The Company carries out continuous monitoring and control of the policies and internal procedures. The Crime Prevention Model sets out explicitly the due diligence measures established by the Company, as well as the investigation procedure and response in the event of breach, in accordance with the law concerning the criminal responsibility of legal persons.

As indicated above, the Compliance Committee along with the Compliance Office, is responsible for managing crime prevention and, therefore, for the definition, implementation and supervision of the Crime Prevention Model.

TAX TRANSPARENCY: PROFITS AND TAXES

The Tax Strategy for NH Hotel Group (available at
nh-hotels.com/corporate > Corporate Governance > Policies) was approved by the Board of Directors on July 27th, 2015, considering that one of the pillars underpinning the entire Group’s business strategy should be avoiding or minimising risks, including tax risks.

The strategy is based on complying with tax legislation in all the jurisdictions in which NH Hotel Group is present, applying an interpretation of such legislation that fundamentally has due regard for the spirit and purpose of the laws.

NH Hotel Group S.A. is signed up to the Spanish Tax Agency’s Code of Good Tax Practice. The purpose of that Code is to promote a reciprocally cooperative relationship between the Tax Agency and the different companies that have signed up to the Code. This relationship is based on the principles of transparency and mutual trust, with the aim of reducing the legal uncertainty to which companies may be exposed with the tax authorities.

Guiding Principles of the Tax Strategy

  • Compliance with tax legislation in all locations where it is present.
  • Prevention and reduction of significant tax risks.
  • Collaboration, loyalty and good faith with the Tax Administrations.
  • Reporting to the Board of Directors on the main tax implications of transactions.

Monitoring and Control
The Board of Directors, through the CEO and Senior Executives, drives the monitoring by the Group of the application of the principles and good practice concerning tax affairs.

Furthermore, the Board of Directors has the support of the Group’s Audit and Control Committee, which is to oversee the effectiveness of the tax risk management and control systems and provide the pertinent information to the Board periodically.

The Company monitors and follows up its tax policy, complying with the mechanisms established by law, in its tax policy and in the control framework approved by the Board.

Income or losses before taxes and the taxes paid per country described above are affected, in some cases, by circumstances such as the sale of assets, the exit of hotels, early depreciation of assets due to repositioning or the situation of hyperinflation in the case of Argentina. It should also be noted that the corporate income tax shown in the above table is as calculated on a settlement basis.

RELATIONS WITH GOVERNMENTS AND POLICY INFLUENCE

The Company manages its business in accordance with its corporate values and its ethical and conduct framework. It also ensures strict compliance with ruling legislation in each country.

In relation to local governments, the Company always acts independently of any political power, maintaining transparency in its dealings with public and administrative institutions.

NH Hotel Group is characterised by absolute political neutrality. The Company does not make economic or other contributions to political parties or candidates in elections.

NH Hotel Group does however form part of sectorial organizations or foundations linked to its activity or to the geographical area where it operates. Through its presence in these organizations, the Company aspires to contribute to the progress and development of the places where it is present. More information is available in the Chapter NH ROOM4 Responsible Shared Success: Sustainable Alliances.

CYBERSECURITY

Cybersecurity is vital in the digital age. Information security incidents are currently one of the main risks to which businesses are exposed. Accordingly, at NH Hotel Group we focus on strengthening computer security mechanisms and protocols, through policies, rules, procedures and employee training.

Accordingly, cybersecurity and GDPR training is aimed at fostering a culture of information security in the Company that will serve to establish the bases for the protection of both our confidential information and that of our customers, suppliers and other stakeholders.

NH Hotel Group’s strategy in relation to cybersecurity is under constant review in the committees of the Executive Management team that oversees the cybersecurity strategy. To achieve the goals that have been set, a range of initiative and measures are identified and planned, that are to be implemented to improve NH Hotel Group’s security capabilities, and also to prevent and/or mitigate any risk that may arise.

On account of the pandemic, working from home has grown and, as a result, the use of devices away from the secure environment of businesses. The volume of cyberattacks has also grown exponentially. For this reason, NH Hotel Group continues to work on greater monitoring of the entire net, with new, more powerful and advanced tools that give greater control over possible improper accesses, as well raising awareness among employees and stakeholders in order to minimise the risk of such cyberattacks.

Guests also expect their data to be kept securely and processed ethically. Cybersecurity is integrated in our culture to promote behavior that protects the Company and our guests’ information.

DATA PRIVACY AND PROTECTION

In a sector as competitive as the hotel business, the customer experience is a critical differential factor to ensure the satisfaction and loyalty of our customers. NH Hotel Group has mechanisms in place to protect data privacy, aware that this is a key aspect in generating trust.

With the entry into force of the new data protection regulations in 2018, NH Hotel Group has continued to adapt its personal data management and control systems to EU Regulation 679/2018 (GDPR) and Spanish Act 3/2018 (LOPDGDD). Regarding sensitive data, such as credit cards, NH has once again renewed its PCI Compliance certification, and has adapted procedures and systems in line with the new PSD2 legislation. NH Hotel Group’s intention is to process the personal data of its customers, employees and suppliers with the utmost guarantees of respect for their privacy and always complying with the applicable legal obligations.

Accordingly, the data protection sections of legal disclaimers, both on websites and on documents provided to customers, have been updated. The Company has also implemented a series of measures to make these privacy policies and legal disclaimers accessible to customers at all times.

In the framework of this adaptation, the Company has implemented an additional information system that is available to end customers, so that they can discover each of the types of processing carried out by NH Hotel Group. All of this is set out in the NH Hotel Group privacy policy which can be accessed using the following link:
nh-hoteles.es/politica-privacidad

Security is integrated comprehensively across all areas of the Company, covering profiles from different areas of operation to guarantee effective risk management, with due regard to the sensitive and critical nature of each environment. There are also risk indicators on the main matters of interest regarding security, that serve to define and implement action plans aimed at reducing or eliminating the threats identified.

NH Hotel Group also has several email addresses in place for the management, on the one hand, of the data protection right matters raised, whether pertaining to customers, employees and/or suppliers, when personal data are obtained, and an email address for reporting any kind of incident and/or complaint relating to data protection. Specifically, this last email address is the one created specifically for the Data Protection Officer. When a security matter is reported to the Data Protection Officer’s email, a process of evaluation of the notification commences, in order to determine whether it is of relevant scope for protection purposes. If so, the incident is forwarded to the Departments of NH Hotel Group that could be involved, to assess the need for any communication to a Data Protection Supervisory Authority and/or to any data subjects that may have been involved in the incident. A written record is kept of this entire process.

As a Spanish company, the Supervisory Authority in relation to data protection for NH Hotel Group is the Spanish Data Protection Agency, with which relations are conducted habitually using that agency’s Online Site.

As far as the Company’s employees are concerned, in their capacity as users of personal data, they undergo mandatory training on data protection to ensure that they know how to process data in compliance with the regulations. This training is provided when they join the Company and is noted and supervised by the Human Resources Department.

As mentioned above, NH Hotel Group has a Data Protection Officer, whose duties are not just to comply with the requirements of the new regulations, but also to ensure, among other functions, that customers’ rights in relation to data protection are always handled by the organization in accordance with the principles established in the new regulations, and to act as a point of contact throughout the Company to clear up any doubts that may arise in relation to data protection. Finally, NH Hotel Group has continued in 2021 with the improvement project in relation to the quality of data within the organization.

NH Hotel Group has integrated the controls related to compliance with these regulations in its compliance model. Consequently, the risk management and IT departments are ultimately responsible for overseeing these controls, receiving any communication related to information privacy and reporting on a regular basis to the Audit and Compliance Committee and to the Board of Directors.

The Group’s compliance is supervised through periodic audits that ensure that NH Hotel Group complies in full with the requisites defined in the legislation on privacy, paying particular attention to the General Data Protection Regulation (GDPR).

The NH Hotel Group risk map contains a pillar called “compliance” linked to data privacy (GDPR) and information security and different management and control measures are in place such as:

  • Periodic review and update of the risk matrix.
  • “Privacy by Design” procedures.
  • Creation of the Data Protection Office with the support of specialist advisors.
  • GDPR training for employees.
  • Existence of a whistleblowing channel to report possible security breaches related to data protection.
  • Existence of a disaster recovery plan.

NH Hotel Group also has a procedure to respond in the event of incidents in the information systems, which includes roles and responsibilities, steps to follow in order to restore operation of equipment and systems, recovery times, etc.

“1,642 hours of training in privacy and data protection and a total of 1,484 employees trained”

To date, no sanctioning procedure has been opened that could result in a financial penalty for the Company as a result of a security breach with data protection implications.

PROTECTION OF
HUMAN RIGHTS

The principle of respect for and protection of Human Rights is integrated into the culture of NH Hotel Group and is applied to the activities carried on through the professionals, independently of the country or region where the activity is carried out. The Company is committed to complying with Human Rights and works to prevent and manage the risks associated to the breach of such rights. NH Hotel Group’s international presence in countries where the defense of human rights needs to be boosted leads us to be transmitters of the concept and to ensure frameworks of relations and management are in place in which the defense of these rights is assured.

INITIATIVES FOR THE PROTECTION OF
HUMAN RIGHTS

NH Hotel Group carries out its activity in a framework of commitment to the society and environment where it operates, and therefore accepts the contents of national and international agreements and treaties, undertaking to promote and comply with them. These commitments will avoid or, as the case may be, mitigate any negative consequences that its activities might cause to Human Rights.

The commitments acquired on subscribing to these international agreements guide the conduct of all the employees in the Company.

Notable among these codes voluntarily accepted by the Company are the UN Global Compact, support and contribution to the Sustainable Development Goals (SDG) and the Global Code of Ethics for Tourism, approved in 1999 by the Assembly of the UN World Tourism Organization (UNWTO). This code comprises 10 principles designed to guide key players in tourist development, aspiring to help to maximise the sector’s benefits while minimising its impact on the environment, cultural heritage and local communities.

The Company rejects any tourist activity that might constitute an attack on human rights or human dignity, paying special attention to children. Accordingly, in September 2012 NH Hotel Group joined ECPAT (End Child Prostitution, Child Pornography and Trafficking of Children for Sexual Purposes) for the protection of boys, girls and adolescents against sexual exploitation in tourism, also promoted by UNWTO and UNICEF.

HUMAN RIGHTS POLICY OF NH HOTEL GROUP

In 2020, the Board of Directors approved the NH Hotel Group Human Rights Policy, a document that sets out all the principles and commitments undertaken by the Company in this regard.

The Policy establishes our commitment to respect Human Rights in accordance with the highest international standards and works to PROTECT, RESPECT AND REMEDY (prevent and manage) the risks associated to the breach of such rights.

Health and safety

Protection of
Team Members’
rights

Freedom of
association and
collective bargaining

Promotion of equality
and inclusion

Child rights and
child labour

Slavery, servitude or
forced labour

Respect local
communities and their
environment

Right to freedom of
opinion, information and
expression

Corruption

Intellectual property

Privacy

The policy reinforces a sound and responsible governance model, that fosters transparent and responsible management on the basis of a single corporate document with global scope that, among other aspects, will make it possible not only to manage better the risks wherever NH Hotel Group is present, but also ensure knowledge and integration of the policy in the value chain. Through this Policy, the Company undertakes to play an active role in the promotion of Human Rights and to work proactively to this end. The Policy reflects the commitments already undertaken in this regard and guarantees respect for the labour rights of all employees and contractors, in all the countries where the Company is present, in accordance with ruling law in each country.

Relations with all stakeholders the Code applies to should always be based on respect for human dignity and non-discrimination. The Company rejects all conduct, behaviour or action likely to foster, promote or incite, directly or indirectly, hatred, hostility, discrimination or violence against a group for racist reasons or other reasons referring to the ideology, religion or beliefs, family situation, membership of an ethnicity, race or nation, national origin, gender, sexual orientation or identity, or due to illness or disability.

NH Hotel Group emphatically prohibits any hostile or humiliating actions against people, the abuse of authority and any type of harassment, whether physical or psychological, as well as any other conduct that could generate an intimidating, offensive or hostile working environment. Furthermore, no child labour or forced labour is tolerated.

The Company also recognizes that the principle of equality of treatment and opportunities for addressees of the Code of Conduct is a principle that inspires its Human Resources policies and is applicable both to the hiring of employees and to training, career opportunities or salary levels, as well as all other aspects of labour relations with employees.

The Code of Conduct also prohibits the imposition on employees of health and safety conditions at work that damage, suppress or restrict their rights as recognized by legal provisions, collective agreements or individual contracts. No form of illegal traffic of labour or fraudulent emigration is permitted, and applicable legislation will be always respected regarding the entry and transit of foreign nationals.

The Code also explicitly states that the exercise of the rights of protest, association, organization and collective bargaining in the framework of the rules regulating each of these fundamental rights and in accordance with international law and practice, in particular, the United Nations Universal Declaration of Human Rights and the principles proclaimed by the International Labour Organization, will not be unduly limited.

COMPLIANCE IN RELATION TO
HUMAN RIGHTS

As described above, in order to guarantee compliance with the Human Rights Policy, the Internal Audit department undertakes to supervise the principles and rules reflected in the Policy and, therefore, is responsible for analyzing any irregularity related to it.

NH Hotel Group has a whistleblowing channel, in order to make it easy to report any possible irregularity, breach or behavior contrary to ethics, law and the rules that govern the Company.

Possible breaches of Human Rights are handled through the Internal Audit department, which is responsible for managing the Group’s Whistleblowing Channel (codeofconduct@nh-hotels.com).

The Company has also put in place a specific external communication channel to report, process and manage incidents reported by suppliers (codeofconduct@coperama.com). The procedure for reporting and dealing with possible breaches of the Code of Conduct will be managed by the Group’s Senior Vice President of Internal Audit.

In 2021, there were no reports relating to a possible breach of human rights.

HUMAN RIGHTS DUE DILIGENCE

NH Hotel Group continues with its Human Rights Risk Management project which has been implemented in different phases:

  • In the first phase, a process was carried out to identify the inherent human rights risks of the Company’s global operations; with the subsequent publication of the Policy that includes the commitment to respect and protect the rights identified in the Company.
  • In the second phase, a corporate Due Diligence Guide for Human Rights was drawn up, as a support tool in applying the Protocol to all the Company’s operations.
    This Guide will serve as an instrument to increase the control over and the efficiency of processes, mitigate the risk of reputational damage and favor the correct public positioning of the Company.
  • In December 2021, training in Human Rights was launched. Initially, it was sent to the Company’s General Managers and Front Office Managers, as these are the groups of employees whose job needs them to be more familiar with possible breaches of Human Rights, both to identify possible situations of risk and to know how to proceed when faced with an incident of this nature.
  • In the next phase, an assessment of the residual risk of breach of Human Rights in NH Hotel Group will be carried out, with the aim of defining action plans to mitigate any failure to comply on a case-by-case basis. All the hotels in the portfolio will participate in this analysis. Thanks to this self-assessment, all the public commitments acquired by NH Hotel Group will be covered.

As a result of this commitment, Human Rights risks will be monitored on the Company’s risk map in order to traction the pertinent mitigation or resolution processes. With this initiative, situations and activities with the highest (direct or indirect) risk of having a negative impact on these rights will be identified and assessed.